From 63689c443e747e4354d149205e99f0a6b00bc535 Mon Sep 17 00:00:00 2001
From: Raphael Reynaldi <raphael.reynaldi20@gmail.com>
Date: Wed, 13 May 2026 07:47:51 +0700
Subject: [PATCH] feat: Insight popup demo service

---
 .env.example                                  |   2 +
 docs/ai-insights.md                           |  16 +++
 docs/extension-pairing.md                     |  20 +++-
 k8s/deployment.yaml                           |   3 +
 k8s/ingress.yaml                              |   5 +-
 openspec.yaml                                 |  43 +++++++
 .../add-demo-insight-trigger/.openspec.yaml   |   2 +
 .../add-demo-insight-trigger/design.md        |  94 ++++++++++++++++
 .../add-demo-insight-trigger/proposal.md      |  45 ++++++++
 .../specs/insight-triggering/spec.md          | 105 ++++++++++++++++++
 .../changes/add-demo-insight-trigger/tasks.md |  58 ++++++++++
 .../update-extension-popup-url/.openspec.yaml |   2 +
 .../update-extension-popup-url/design.md      |  73 ++++++++++++
 .../update-extension-popup-url/proposal.md    |  27 +++++
 .../specs/extension-integration/spec.md       |  25 +++++
 .../update-extension-popup-url/tasks.md       |  28 +++++
 src/controllers/recommendations.controller.js |  43 +++++++
 src/routes/recommendations.routes.js          |   2 +
 src/services/insight-trigger.service.js       |  61 ++++++++++
 src/services/pairing.service.js               |   4 +-
 20 files changed, 654 insertions(+), 4 deletions(-)
 create mode 100644 openspec/changes/add-demo-insight-trigger/.openspec.yaml
 create mode 100644 openspec/changes/add-demo-insight-trigger/design.md
 create mode 100644 openspec/changes/add-demo-insight-trigger/proposal.md
 create mode 100644 openspec/changes/add-demo-insight-trigger/specs/insight-triggering/spec.md
 create mode 100644 openspec/changes/add-demo-insight-trigger/tasks.md
 create mode 100644 openspec/changes/update-extension-popup-url/.openspec.yaml
 create mode 100644 openspec/changes/update-extension-popup-url/design.md
 create mode 100644 openspec/changes/update-extension-popup-url/proposal.md
 create mode 100644 openspec/changes/update-extension-popup-url/specs/extension-integration/spec.md
 create mode 100644 openspec/changes/update-extension-popup-url/tasks.md

diff --git a/.env.example b/.env.example
index 1d7bed7..e902568 100644
--- a/.env.example
+++ b/.env.example
@@ -33,4 +33,6 @@ CORS_ALLOWED_ORIGINS=http://localhost:5173,https://who-goes-to-try.hackathon.sev
 
 # Frontend origin used to build the verification URI returned by POST /api/v1/auth/pairings.
 # The extension opens FRONTEND_URL/extension/pair?code=<user_code> in the browser.
+# Defaults in code to https://who-goes-to-try.hackathon.sev-2.com — this variable is optional.
+# Set it only to override the default (e.g., point the extension at a local frontend during dev).
 FRONTEND_URL=http://localhost:5173
diff --git a/docs/ai-insights.md b/docs/ai-insights.md
index 8c7b21f..64cad56 100644
--- a/docs/ai-insights.md
+++ b/docs/ai-insights.md
@@ -79,3 +79,19 @@ All require JWT or `dvf_` API token auth. The action endpoint also verifies owne
 - **Extension polls every 60 s.** Worst case the popup is delayed by one poll interval. Acceptable for "consider a break" UX.
 
 Cross-reference: this pipeline reads from `metrics_daily` and `metrics_session` populated by the [metrics ETL](metrics.md).
+
+## Manual trigger (demo / debugging escape hatch)
+
+`POST /api/v1/recommendations/trigger` lets a signed-in user force the insight pipeline to run immediately, instead of waiting on the 10-minute scheduler tick. **This is an escape hatch for demos and live debugging — not a production feature.** A logged-in user can produce a popup on demand by spamming the `demo` mode; this is acceptable per-user but not something to advertise to end users.
+
+Body: `{ "mode": "real" | "force" | "demo" }`. Mode defaults to `"real"`.
+
+| Mode | Behaviour |
+| --- | --- |
+| `real` | Invokes `evaluateUser` with all gates intact (cooldown, rules, Gemini). Returns `{ skipped, reason }` or `{ skipped: false, rule, state_type, recommendation_id }`. |
+| `force` | Marks the user's latest pending recommendation as `expired`, then runs `evaluateUser`. Cooldown is bypassed; the rule + LLM gates still apply. |
+| `demo` | Fabricates a canned `WorkflowState` (`state_type = 'demo'`) + `Recommendation`. No Gemini call. Returns HTTP 409 if the user has no active session. |
+
+Every successful call emits a single `logger.info('recommendation-trigger', { user_id, mode, outcome })` line.
+
+In the VSCode extension, **DevVital AI: Trigger Insight** (command palette) opens a quick-pick of the three modes. After POSTing, the extension immediately polls `/recommendations/pending` so the resulting popup surfaces within a second or two.
diff --git a/docs/extension-pairing.md b/docs/extension-pairing.md
index 7dbb97b..a77bb28 100644
--- a/docs/extension-pairing.md
+++ b/docs/extension-pairing.md
@@ -57,6 +57,24 @@ No authentication. Rate-limited to one request per second per `pairing_id`.
 
 ## Configuration
 
-The backend builds `verification_uri` from `FRONTEND_URL`. Set this to the public origin of the frontend, e.g. `https://who-goes-to-try.hackathon.sev-2.com`. Defaults to `http://localhost:5173` in development.
+The backend builds `verification_uri` from `FRONTEND_URL`. In application code this defaults to `https://who-goes-to-try.hackathon.sev-2.com`, so production pods do not need to inject the variable to get the right pairing URL. Set `FRONTEND_URL` only when you need to override the default — typically `http://localhost:5173` for local development.
+
+```env
+# Local development override
+FRONTEND_URL=http://localhost:5173
+```
+
+After rollout, smoke-test the public pairing URL:
+
+```bash
+curl -s -X POST https://who-goes-to-try.hackathon.sev-2.com/api/v1/auth/pairings \
+  | jq -r '.verification_uri'
+```
+
+Expected output:
+
+```text
+https://who-goes-to-try.hackathon.sev-2.com/extension/pair
+```
 
 Expired rows are pruned every 5 minutes (`pairing.service.js#cleanupExpired`); the cleanup removes rows whose `expires_at` is more than one hour in the past so a slow extension still finds its row.
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index b07e4c7..f1e6bcb 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -23,6 +23,9 @@ spec:
           imagePullPolicy: Always
           ports:
             - containerPort: 3000
+          env:
+            - name: FRONTEND_URL
+              value: "https://who-goes-to-try.hackathon.sev-2.com"
           envFrom:
             - secretRef:
                 name: who-goes-to-try-backend-secret
diff --git a/k8s/ingress.yaml b/k8s/ingress.yaml
index 564a943..122a637 100644
--- a/k8s/ingress.yaml
+++ b/k8s/ingress.yaml
@@ -5,9 +5,12 @@ metadata:
   namespace: who-goes-to-try
   annotations:
     cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    traefik.ingress.kubernetes.io/router.middlewares: who-goes-to-try-strip-api@kubernetescrd
 spec:
   ingressClassName: traefik
+  tls:
+    - hosts:
+        - who-goes-to-try.hackathon.sev-2.com
+      secretName: who-goes-to-try-tls-cert
   rules:
     - host: who-goes-to-try.hackathon.sev-2.com
       http:
diff --git a/openspec.yaml b/openspec.yaml
index 5a6b42f..b96c887 100644
--- a/openspec.yaml
+++ b/openspec.yaml
@@ -958,3 +958,46 @@ paths:
           description: Recommendation not found
         '409':
           description: Recommendation already acted on
+
+  /recommendations/trigger:
+    post:
+      summary: Manually trigger an insight evaluation (demo / debugging escape hatch)
+      operationId: triggerRecommendation
+      security:
+        - bearerAuth: []
+        - cookieAuth: []
+      requestBody:
+        required: false
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                mode:
+                  type: string
+                  enum: [real, force, demo]
+                  description: |
+                    real: invoke evaluateUser with full gates (cooldown, rules, LLM).
+                    force: expire latest pending recommendation, then evaluateUser.
+                    demo: fabricate a canned recommendation; no LLM call.
+                    Defaults to "real" when omitted.
+      responses:
+        '200':
+          description: Trigger processed. Body shape varies by mode and outcome.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  skipped: { type: boolean }
+                  reason: { type: string }
+                  mode: { type: string }
+                  rule: { type: string }
+                  state_type: { type: string }
+                  recommendation_id: { type: integer }
+        '400':
+          description: Validation failed (invalid mode)
+        '401':
+          description: Unauthorized
+        '409':
+          description: No active session (demo mode only)
diff --git a/openspec/changes/add-demo-insight-trigger/.openspec.yaml b/openspec/changes/add-demo-insight-trigger/.openspec.yaml
new file mode 100644
index 0000000..93831bd
--- /dev/null
+++ b/openspec/changes/add-demo-insight-trigger/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-05-13
diff --git a/openspec/changes/add-demo-insight-trigger/design.md b/openspec/changes/add-demo-insight-trigger/design.md
new file mode 100644
index 0000000..ee9727a
--- /dev/null
+++ b/openspec/changes/add-demo-insight-trigger/design.md
@@ -0,0 +1,94 @@
+## Context
+
+The recommendation system in [insight-scheduler.js](src/services/insight-scheduler.js) runs `evaluateUser` on a configurable interval (default 10 min) for every active user. `evaluateUser` gates on Gemini being configured, cooldown not elapsed, a current session existing, at least one of four rules firing on `metrics_daily`, and the LLM returning a non-`normal` `state_type`. Any one failing → no recommendation → no popup. For a hackathon demo this means the audience may see nothing for the whole 10-minute window.
+
+Today the extension [`RecommendationService`](../devFlowExtension/src/services/recommendationService.ts) polls `GET /recommendations/pending` every 60s and surfaces any row whose `user_action IS NULL` as a `vscode.window.showInformationMessage` toast. The plumbing is healthy; the input — `Recommendation` rows being created — is what's intermittent.
+
+The proposed `POST /recommendations/trigger` endpoint plus the **DevVital AI: Trigger Insight** command give a presenter a button to force the popup to appear on demand, with graceful degradation: `real` is honest, `force` is "I know you should fire," `demo` is "the wifi is bad, but the slide must go on."
+
+Constraints:
+- No database schema migration. Reuse `workflow_states` and `recommendations`.
+- No production hardening. JWT auth is the only gate.
+- Bundle entirely inside this one change — no follow-up PRs needed for the demo to work.
+- Do not interfere with the scheduler. The scheduler keeps running unchanged.
+
+## Goals / Non-Goals
+
+**Goals:**
+- A presenter can produce a popup within a few seconds at any point during the demo.
+- The "honest" path is preferred: `real` shows what users actually see; `force` shows "imagine the cooldown isn't blocking us"; `demo` is the last-resort fallback.
+- Implementation is small enough to ship the same day.
+
+**Non-Goals:**
+- A general-purpose admin tool for manipulating recommendations.
+- A way to *suppress* popups (we have cooldown for that).
+- Rate limiting / abuse prevention. A logged-in user spamming `demo` mode only floods their own history.
+- Telemetry on how often the demo trigger is used.
+- Frontend UI to display "this recommendation was triggered manually." Doesn't matter for the demo, and adds scope.
+- Replacing the four-rule engine or the LLM prompt. That's `llm-driven-insight-trigger`, a separate change.
+
+## Decisions
+
+### Decision 1: Single endpoint with `mode` field, not three separate endpoints
+
+Why: All three modes share the same auth, the same response shape, the same logging. Splitting them into three URLs trades one POST for three URLs the frontend has to know about. One endpoint with a discriminated body is the standard REST shape for "do one of three related things."
+
+Alternative considered: `POST /recommendations/trigger`, `POST /recommendations/trigger/force`, `POST /recommendations/trigger/demo`. Rejected — more route surface, more docs, no upside.
+
+### Decision 2: `force` does NOT skip the no-rule-fired gate
+
+Why: The point of `force` is to bypass *cooldown*, not to bypass the rules. If we made force always recommend, it would duplicate `demo` and confuse the demo story. Force is "imagine we weren't in cooldown — would a real recommendation fire right now?" If the answer is "no, no rule fires," that's an honest demo signal: the system is working, just doesn't see a reason to interrupt.
+
+Alternative considered: `force` also bypasses the rules and always invokes the LLM. Rejected — see above.
+
+### Decision 3: `demo` mode creates a real `WorkflowState` row
+
+Why: The recommendations controller's `getPending` JOINs `recommendations → workflow_states → sessions`. A `Recommendation` without a `WorkflowState` and `Session` won't surface. We need a row in each table. The cheapest way is `state_type: 'demo'` so it's instantly recognisable as fake when grepping the DB later.
+
+Alternative considered: SQL-insert the recommendation directly with `workflow_state_id` pointing to an existing row. Rejected — coupling to whatever happens to be the latest workflow state is fragile; just create a fresh one.
+
+### Decision 4: Canned demo text is hardcoded, not configurable
+
+Why: Configuration cost vs demo value is wildly imbalanced. A presenter can do one demo with one message. If they need a different message later, edit the constant.
+
+The canned message: `"You've been heads-down for a while. Consider stepping away for 5 minutes — your next bug is probably hiding behind a clear head."` ≤ 240 chars (within the existing Recommendation text limit), second-person, one concrete action, matches the tone of LLM-generated messages.
+
+### Decision 5: Force mode "expires" the latest pending recommendation, not all of them
+
+Why: The cooldown logic in `getLatestRecommendationForUser` looks at the user's single most-recent recommendation, regardless of `user_action`. So we only need to flip the one most-recent row to `expired` to make the cooldown check pass. Going further (expiring all pending rows) is destructive and could mask bugs in the cooldown logic itself.
+
+Alternative considered: temporarily ignore cooldown via a flag passed into `evaluateUser`. Rejected — `evaluateUser` would grow a `{ skipCooldown }` parameter that exists *only* for demo purposes. Worse separation than mutating the one row.
+
+### Decision 6: The extension reuses the existing `RecommendationService` instance
+
+Why: That service already owns the `apiBaseUrl` derivation and the `pollAndNotify` method. Adding a `triggerInsight(mode)` method to it keeps everything related in one file.
+
+Alternative considered: Spawn a new `InsightTriggerService` in the extension. Rejected — strictly more code, no benefit.
+
+### Decision 7: The quick-pick UI, not three palette commands
+
+Why: One palette entry (**DevVital AI: Trigger Insight**) keeps the command list clean. A quick-pick is one extra click during the demo — trivial. Three separate commands would be `triggerInsightReal`, `triggerInsightForce`, `triggerInsightDemo`, which clutters the palette for occasional use.
+
+Alternative considered: status bar item. Rejected for scope — the demo only needs the popup to fire, not a permanent UI surface.
+
+## Risks / Trade-offs
+
+- **Risk:** A user spams `demo` mode and floods their own recommendation history. → **Mitigation:** Document as known limitation. JWT auth means it stays scoped per user. Not exploitable cross-tenant.
+- **Risk:** `force` mode races with the scheduler — scheduler tick concurrently calls `evaluateUser` for the same user. → **Mitigation:** The `inFlight` Set in [insight-scheduler.js:21](src/services/insight-scheduler.js#L21) is per-process, but the trigger endpoint runs in the same process as the scheduler. Add the same `inFlight` guard in the controller, or accept duplicate-call possibility and rely on the cooldown query (which now is post-`force`-expire, so it'd see no recent recommendation and proceed). For a hackathon demo, the race is acceptable; document and move on.
+- **Risk:** `demo` mode creates a recommendation that bypasses the LLM, so any future audit ("show me Gemini's reasoning") finds `code_context.reasoning` is `null` or a string like `"Demo trigger — no LLM invocation."`. → **Mitigation:** Hardcode `code_context.reasoning = "Manually triggered demo recommendation; no Gemini call was made."`. Self-explanatory in the DB.
+- **Risk:** The endpoint exists in production. → **Mitigation:** It's authenticated, no destructive side effects beyond the user's own row. If we later want to disable it in prod, add a single `if (process.env.INSIGHTS_TRIGGER_DEMO_ENABLED === 'false') return 404` guard. Not building that now.
+- **Trade-off:** Bundling all three modes in one endpoint means a slightly larger PR surface than just shipping `demo`. Worth it because `real` + `force` exercise the real code path and give us a debugging tool beyond the demo.
+
+## Migration Plan
+
+1. Land the backend changes (route + controller + service helpers + openspec.yaml).
+2. Deploy the backend image — no env var changes required.
+3. Land the extension changes (package.json + extension.ts + recommendationService.ts).
+4. Recompile + reload the extension.
+5. Smoke-test the demo flow from the command palette: invoke the command three times, once per mode, verify the popup appears after `demo` and after `force` (assuming a recent recommendation exists for the cooldown bypass to matter), and that `real` either fires or returns a clear `skipped` reason.
+6. **Rollback:** revert the backend commit + redeploy. The extension command becomes a no-op (404 → output channel warning). No data cleanup needed; any `state_type = 'demo'` rows are harmless artifacts.
+
+## Open Questions
+
+- Should the canned demo recommendation be visually marked (e.g., prefixed `[Demo]`) in the popup? Trade-off: more honest, less impressive on stage. Decision: leave unmarked for the demo punch; revisit if we keep the trigger long-term.
+- Future: should there be an admin-only variant of `force` that lets you target another user's recommendation? Out of scope here, and probably never a good idea.
diff --git a/openspec/changes/add-demo-insight-trigger/proposal.md b/openspec/changes/add-demo-insight-trigger/proposal.md
new file mode 100644
index 0000000..0a56c0f
--- /dev/null
+++ b/openspec/changes/add-demo-insight-trigger/proposal.md
@@ -0,0 +1,45 @@
+## Why
+
+The insight/recommendation popup driven by [`insight-scheduler`](src/services/insight-scheduler.js) and [`insight-trigger.service`](src/services/insight-trigger.service.js) fires only when (a) the 10-minute scheduler tick runs, (b) one of four deterministic rules matches (very long session, long+high churn, rapid switching, delete-heavy rewriting), (c) the cooldown has elapsed, and (d) the LLM produces a non-normal `state_type`. In normal use this means a demo audience may sit for many minutes without ever seeing the popup — even though the underlying system is healthy. We need a way to **prove the end-to-end recommendation flow works**, on demand, during a hackathon demo or a live debugging session, without waiting on the scheduler or hoping rules trip.
+
+## What Changes
+
+- Add `POST /api/v1/recommendations/trigger` to the backend, authenticated with the same JWT/`dvf_` token middleware used by the rest of `/recommendations`. Body `{ mode: 'real' | 'force' | 'demo' }`, default `'real'`.
+  - `real`: invoke `evaluateUser(req.user.id)` once and return its result. Respects cooldown, Gemini config, and "no rule fired" gates exactly like the scheduler. Proves the *real* path.
+  - `force`: expire the user's latest pending recommendation first (so cooldown is moot), then `evaluateUser`. Still uses real rules + Gemini; useful when you know an insight *should* fire but cooldown is in the way.
+  - `demo`: fabricate a `WorkflowState` + `Recommendation` row with hardcoded canned text, no LLM call, no rule check. Bulletproof fallback when Gemini is unreachable or there's no real activity.
+- Add `devvitalAI.triggerInsight` command to the extension. Surfaced in the command palette as **DevVital AI: Trigger Insight**. Opens a `showQuickPick` letting the user choose `real / force / demo`, POSTs to the new endpoint, then calls `recommendationService.pollAndNotify()` so the popup appears within the next poll tick (≤60s; immediate in practice).
+- Document the endpoint and command in [docs/](docs/) so the demo runbook is reproducible.
+- All three modes emit a `logger.info` line tagged `recommendation-trigger` for auditability.
+
+Explicitly **out of scope**:
+- Keyboard shortcuts (can be added later via user `keybindings.json`).
+- Configurable demo text — the canned message is hardcoded.
+- Rate limiting (the existing JWT auth is sufficient gate).
+- Dashboard / UI in the frontend.
+- Production hardening — this is a demo-tool escape hatch and the proposal should not be misread as a general-purpose feature.
+
+## Capabilities
+
+### New Capabilities
+- `insight-triggering`: the device-driven entry point for invoking the LLM/rule-based insight pipeline on demand, distinct from the scheduler-driven path. Owns the `POST /recommendations/trigger` endpoint and the `mode` semantics.
+
+### Modified Capabilities
+<!-- none -->
+
+## Impact
+
+- Affected code (backend):
+  - [src/routes/recommendations.routes.js](src/routes/recommendations.routes.js) — new route.
+  - [src/controllers/recommendations.controller.js](src/controllers/recommendations.controller.js) — new `triggerRecommendation` handler.
+  - [src/services/insight-trigger.service.js](src/services/insight-trigger.service.js) — exports `evaluateUser` (already exported); add a `forceEvaluateUser` helper that expires latest then evaluates, and a `createDemoRecommendation` helper for the canned path.
+  - [openspec.yaml](openspec.yaml) — register the new endpoint + request/response schema for Ajv validation.
+- Affected code (extension):
+  - [package.json](../devFlowExtension/package.json) — register `devvitalAI.triggerInsight` in `contributes.commands`.
+  - [src/extension.ts](../devFlowExtension/src/extension.ts) — register command handler; reuses the existing `RecommendationService` instance.
+  - [src/services/recommendationService.ts](../devFlowExtension/src/services/recommendationService.ts) — add a `triggerInsight(mode)` method.
+- Docs: brief addition to recommendation docs explaining the demo command (no separate runbook file).
+- No database schema migration — uses existing `workflow_states` and `recommendations` tables.
+- No frontend dashboard change.
+- Cost: `real` and `force` each consume one Gemini API call (same as a scheduler tick). `demo` is free.
+- Risk: a signed-in user can spam `demo` mode to flood their own recommendation history. Acceptable for a hackathon; would not be acceptable for a production rollout (call out in design as a known limitation).
diff --git a/openspec/changes/add-demo-insight-trigger/specs/insight-triggering/spec.md b/openspec/changes/add-demo-insight-trigger/specs/insight-triggering/spec.md
new file mode 100644
index 0000000..e397238
--- /dev/null
+++ b/openspec/changes/add-demo-insight-trigger/specs/insight-triggering/spec.md
@@ -0,0 +1,105 @@
+## ADDED Requirements
+
+### Requirement: On-demand insight trigger endpoint
+
+The backend SHALL expose `POST /api/v1/recommendations/trigger`, authenticated identically to other `/recommendations/*` routes (JWT cookie or `Authorization: Bearer <dvf_… or jwt>`). The endpoint SHALL accept a JSON body `{ mode: "real" | "force" | "demo" }` where `mode` defaults to `"real"` when omitted or null, and SHALL reject any other value with HTTP 400.
+
+#### Scenario: Unauthenticated request
+
+- **WHEN** the endpoint is called with no JWT or API token
+- **THEN** the response SHALL be HTTP 401 and no recommendation row SHALL be created
+
+#### Scenario: Invalid mode value
+
+- **WHEN** the endpoint is called with `{ "mode": "production" }` by an authenticated user
+- **THEN** the response SHALL be HTTP 400 with an error message naming the valid modes (`real`, `force`, `demo`)
+
+#### Scenario: Missing body defaults to real
+
+- **WHEN** the endpoint is called by an authenticated user with no body or `{}`
+- **THEN** the server SHALL treat the request as `mode: "real"`
+
+### Requirement: Real mode mirrors scheduler behaviour
+
+The `real` mode SHALL invoke the same `evaluateUser(userId)` code path used by the scheduler, with no parameter changes. It SHALL respect the Gemini-configured gate, the cooldown gate, the no-session gate, the no-rule-fired gate, and the LLM-failed gate. The endpoint SHALL return the structured `{ skipped, reason }` or `{ skipped: false, rule, state_type, recommendation_id }` result as JSON, HTTP 200.
+
+#### Scenario: Real mode during cooldown
+
+- **WHEN** the user already has a recommendation created < `INSIGHT_COOLDOWN_MINUTES` ago and calls trigger with `mode: "real"`
+- **THEN** the response SHALL be HTTP 200 with `{ skipped: true, reason: "cooldown" }` and no new `Recommendation` row SHALL be created
+
+#### Scenario: Real mode with no active rule
+
+- **WHEN** the user has activity but no rule fires, and calls trigger with `mode: "real"`
+- **THEN** the response SHALL be HTTP 200 with `{ skipped: true, reason: "no_rule_fired" }` and no new `Recommendation` row SHALL be created
+
+#### Scenario: Real mode succeeds end-to-end
+
+- **WHEN** a rule fires and the LLM returns a non-normal state for `mode: "real"`
+- **THEN** the response SHALL be HTTP 200 with `{ skipped: false, ..., recommendation_id: <number> }` and exactly one new `Recommendation` row SHALL be created for the user
+
+### Requirement: Force mode bypasses cooldown
+
+The `force` mode SHALL, before invoking `evaluateUser`, expire (set `user_action = 'expired'`) the user's most recent pending recommendation if any. The remaining gates (Gemini-configured, no-session, no-rule-fired, LLM-failed) SHALL still apply. Force mode SHALL NOT alter recommendations belonging to other users.
+
+#### Scenario: Force expires latest then evaluates
+
+- **WHEN** the user has a pending recommendation < `INSIGHT_COOLDOWN_MINUTES` old, and calls trigger with `mode: "force"`
+- **THEN** the previously-pending recommendation SHALL be marked `user_action = 'expired'`, `evaluateUser` SHALL run, and if a rule fires a new `Recommendation` SHALL be created in the same call
+
+#### Scenario: Force still skips when no rule fires
+
+- **WHEN** the user calls trigger with `mode: "force"` but no rule fires
+- **THEN** the response SHALL be HTTP 200 with `{ skipped: true, reason: "no_rule_fired" }`
+
+#### Scenario: Force does not touch other users
+
+- **WHEN** user A calls trigger with `mode: "force"` while user B has a pending recommendation
+- **THEN** user B's recommendation SHALL remain `user_action = null` (untouched)
+
+### Requirement: Demo mode fabricates a canned recommendation
+
+The `demo` mode SHALL bypass `evaluateUser` entirely. It SHALL create exactly one `WorkflowState` (with `state_type = 'demo'`, `confidence_score = 1.0`, attached to the user's current session) and exactly one `Recommendation` (`recommendation_type = 'execute'`, hardcoded `recommendation_text`, `code_context.triggered_rule = 'demo_trigger'`, `user_action = null`). Demo mode SHALL succeed even when Gemini is not configured. If the user has no `Session` row, demo mode SHALL return HTTP 409 with reason `no_session` rather than fabricating a session.
+
+#### Scenario: Demo with active session
+
+- **WHEN** an authenticated user with an existing `Session` calls trigger with `mode: "demo"`
+- **THEN** a new `WorkflowState` with `state_type = 'demo'` and a new `Recommendation` SHALL be created, and the response SHALL be HTTP 200 with `{ skipped: false, mode: "demo", recommendation_id: <number> }`
+
+#### Scenario: Demo when Gemini is unconfigured
+
+- **WHEN** `GOOGLE_API_KEY` is unset on the server and the user calls trigger with `mode: "demo"`
+- **THEN** the request SHALL still succeed and create the canned recommendation row, because demo mode never invokes the LLM
+
+#### Scenario: Demo when the user has no session
+
+- **WHEN** an authenticated user with no `Session` row calls trigger with `mode: "demo"`
+- **THEN** the response SHALL be HTTP 409 with `{ skipped: true, reason: "no_session" }`
+
+### Requirement: All trigger calls are logged
+
+Every successful `POST /recommendations/trigger` invocation SHALL emit a single `logger.info` entry tagged `recommendation-trigger` recording `user_id`, `mode`, and the outcome (`skipped` + `reason`, or `recommendation_id`). Failed authentication SHALL NOT emit this log.
+
+#### Scenario: Demo invocation is logged
+
+- **WHEN** an authenticated user calls trigger with `mode: "demo"` and a row is created
+- **THEN** the backend logs SHALL contain a line including `recommendation-trigger`, `user_id`, `mode=demo`, and the new `recommendation_id`
+
+### Requirement: Extension command for triggering insights
+
+The extension SHALL register a command `devvitalAI.triggerInsight` titled **DevVital AI: Trigger Insight** in its `contributes.commands`. When invoked, the command SHALL present a `vscode.window.showQuickPick` of three options (`Real check`, `Force (bypass cooldown)`, `Demo popup`), POST the user's selection to `<apiBase>/api/v1/recommendations/trigger`, then call `recommendationService.pollAndNotify()` once so the popup appears on the next poll tick. The command SHALL be disabled (no-op with a warning to the output channel) when the user is signed out.
+
+#### Scenario: Command is registered in the palette
+
+- **WHEN** the extension activates and the user opens the VSCode command palette
+- **THEN** **DevVital AI: Trigger Insight** SHALL appear as a runnable command
+
+#### Scenario: User selects Demo from the quick-pick
+
+- **WHEN** the user runs the command and selects `Demo popup`
+- **THEN** the extension SHALL POST `{ mode: "demo" }` with the stored auth token, then invoke `pollAndNotify()`, causing the next poll (≤ 60s, typically immediate) to surface the canned recommendation as an information toast
+
+#### Scenario: User runs the command while signed out
+
+- **WHEN** the user invokes **DevVital AI: Trigger Insight** but has no stored API token
+- **THEN** the extension SHALL skip the POST, write a warning to the DevVital AI output channel, and not invoke `pollAndNotify()`
diff --git a/openspec/changes/add-demo-insight-trigger/tasks.md b/openspec/changes/add-demo-insight-trigger/tasks.md
new file mode 100644
index 0000000..e332faa
--- /dev/null
+++ b/openspec/changes/add-demo-insight-trigger/tasks.md
@@ -0,0 +1,58 @@
+## 1. Backend: service helpers
+
+- [x] 1.1 In [src/services/insight-trigger.service.js](src/services/insight-trigger.service.js), add an exported helper `expireLatestRecommendation(userId)` that marks the user's most recent recommendation with `user_action = 'expired'` (no-op if none exists). Use a single SQL update against `recommendations` joined to `workflow_states` and `sessions`, filtered by `user_id`. Return the number of rows affected.
+- [x] 1.2 In the same file, add an exported helper `createDemoRecommendation(userId)` that: (a) loads the user's current session via the existing `getCurrentSessionForUser` (extract from local fn to exported if needed), returns `{ skipped: true, reason: 'no_session' }` when none; (b) inside a single transaction, creates a `WorkflowState` with `state_type = 'demo'`, `confidence_score = 1.0`, `session_id = currentSession.id`; (c) creates a `Recommendation` with `recommendation_type = 'execute'`, hardcoded `recommendation_text` (constant defined at top of file: `"You've been heads-down for a while. Consider stepping away for 5 minutes — your next bug is probably hiding behind a clear head."`), `code_context = { reasoning: 'Manually triggered demo recommendation; no Gemini call was made.', triggered_rule: 'demo_trigger' }`, `user_action = null`; (d) returns `{ skipped: false, mode: 'demo', recommendation_id: <number> }`. _Implementation note: kept `getCurrentSessionForUser` as private and called it directly from `createDemoRecommendation` — no need to export._
+- [x] 1.3 Add a `logger.info` line tagged `recommendation-trigger` at the end of `createDemoRecommendation` capturing `user_id` and `recommendation_id`.
+
+## 2. Backend: controller + route
+
+- [x] 2.1 In [src/controllers/recommendations.controller.js](src/controllers/recommendations.controller.js), add `export async function triggerRecommendation(req, res, next)` that: (a) reads `req.body?.mode` defaulting to `'real'`; (b) validates against the set `['real', 'force', 'demo']`, returns HTTP 400 with `{ error: 'Validation failed', message: 'mode must be one of real, force, demo' }` otherwise; (c) dispatches: `real` → `await evaluateUser(req.user.id)`; `force` → `await expireLatestRecommendation(req.user.id); await evaluateUser(req.user.id);`; `demo` → `await createDemoRecommendation(req.user.id)`, returning HTTP 409 with `{ skipped: true, reason: 'no_session' }` when that helper indicates no session; (d) always emits `logger.info('recommendation-trigger', { user_id, mode, outcome })` where `outcome` is the result payload; (e) returns HTTP 200 with the helper's result as JSON.
+- [x] 2.2 In [src/routes/recommendations.routes.js](src/routes/recommendations.routes.js), add `router.post('/recommendations/trigger', verifyJwt, triggerRecommendation);` next to the other recommendation routes. Import the new controller export. Do NOT add a `validateRequest` middleware — the controller does the mode validation inline because the openspec body is trivial.
+
+## 3. Backend: openspec.yaml schema entry
+
+- [x] 3.1 In [openspec.yaml](openspec.yaml), add the `POST /recommendations/trigger` path with: `requestBody` referencing a new `TriggerRecommendationRequest` schema (object, properties `mode: { type: string, enum: [real, force, demo] }`, no required fields), `responses` for 200 (returns a free-form `object` with `skipped`, `reason`, `mode`, `rule`, `state_type`, `recommendation_id` all optional), 400 (validation failure), 401 (unauth), 409 (no session for demo). _Implementation note: inlined the request body schema rather than naming it `TriggerRecommendationRequest` under `components.schemas` — the body has one optional property, naming it didn't pay for the indirection._
+
+## 4. Backend: smoke test from a shell
+
+- [ ] 4.1 With the backend running and a known `dvf_` token, run `curl -s -X POST http://localhost:3000/api/v1/recommendations/trigger -H "Authorization: Bearer dvf_…" -H "Content-Type: application/json" -d '{"mode":"demo"}'` and confirm the response is HTTP 200 with `skipped: false, mode: "demo", recommendation_id: <number>`. Then `curl -s http://localhost:3000/api/v1/recommendations/pending -H "Authorization: Bearer dvf_…"` and confirm the demo recommendation is the pending one. _Deferred: requires local backend + valid token; user to run when the backend is up._
+- [ ] 4.2 Repeat 4.1 with `{"mode":"force"}` and observe behaviour: if a real recommendation can be produced for the user, it appears; otherwise `{ skipped: true, reason: "no_rule_fired" }` (this is the honest signal — confirms force isn't fabricating). _Deferred: same as 4.1._
+- [ ] 4.3 Repeat 4.1 with `{"mode":"real"}` immediately after a successful `force` call and observe `{ skipped: true, reason: "cooldown" }`. This confirms cooldown is still enforced for the real path. _Deferred: same as 4.1._
+
+## 5. Extension: command registration
+
+- [x] 5.1 In [devFlowExtension/package.json](../devFlowExtension/package.json), under `contributes.commands`, add `{ "command": "devvitalAI.triggerInsight", "title": "DevVital AI: Trigger Insight" }`.
+- [x] 5.2 In [devFlowExtension/src/services/recommendationService.ts](../devFlowExtension/src/services/recommendationService.ts), add a public method `async triggerInsight(mode: 'real' | 'force' | 'demo'): Promise<void>` that: (a) reads the auth token via `this.auth.getToken()`, returns early with an output-channel warning if absent; (b) POSTs `{ mode }` to `${this.getApiBaseUrl()}/recommendations/trigger` with `Authorization: Bearer <token>`; (c) logs the response status + outcome to the output channel; (d) on success, awaits `this.pollAndNotify()` so the popup appears immediately.
+- [x] 5.3 In [devFlowExtension/src/extension.ts](../devFlowExtension/src/extension.ts), register the command in `activate()`:
+  ```ts
+  context.subscriptions.push(
+      vscode.commands.registerCommand('devvitalAI.triggerInsight', async () => {
+          const choice = await vscode.window.showQuickPick(
+              [
+                  { label: 'Real check', detail: 'Runs the real evaluator (respects cooldown).', mode: 'real' as const },
+                  { label: 'Force (bypass cooldown)', detail: 'Expires latest pending, then evaluates.', mode: 'force' as const },
+                  { label: 'Demo popup', detail: 'Fabricates a canned recommendation. No LLM call.', mode: 'demo' as const },
+              ],
+              { placeHolder: 'Trigger an insight popup how?' }
+          );
+          if (!choice) {return;}
+          await recommendationService.triggerInsight(choice.mode);
+      })
+  );
+  ```
+  Place this near the other `registerCommand` calls in the file.
+
+## 6. Extension: smoke test in the host
+
+- [ ] 6.1 Run `npm run compile` in `devFlowExtension`, reload the VSCode window where the extension runs, open the command palette, and confirm **DevVital AI: Trigger Insight** appears. _Deferred: interactive in the running VSCode host._
+- [ ] 6.2 Run the command and select `Demo popup`. Confirm the canned recommendation toast appears within seconds. Click `Dismiss` to verify the action wires through to `POST /recommendations/:id/action`. _Deferred: same as 6.1._
+- [ ] 6.3 Run the command and select `Force (bypass cooldown)`. Confirm either a new real recommendation toast appears or the output channel shows `{ skipped: true, reason: '...' }` with a sensible reason. _Deferred: same as 6.1._
+- [ ] 6.4 Run the command while signed out (clear the API token via `DevVital AI: Sign Out` first). Confirm a warning appears in the output channel and no network request is made. _Deferred: same as 6.1._
+
+## 7. Docs
+
+- [x] 7.1 In [docs/](docs/), add a short section to whichever recommendations doc exists (or create `docs/recommendations-demo-trigger.md` if none) explaining: the endpoint, the three modes, the extension command name, and the explicit warning that this is a demo-tool escape hatch — not for production use. _Added "Manual trigger" section to `docs/ai-insights.md`._
+
+## 8. Verify no out-of-scope files touched
+
+- [x] 8.1 Run `git status` and confirm modified files are limited to: the OpenSpec change dir, the four backend files (route, controller, service, openspec.yaml), the three extension files (package.json, extension.ts, recommendationService.ts), and the one docs file. No k8s manifest, no migration, no frontend change. _Verified: this change owns 5 backend files (openspec.yaml + 3 src files + docs/ai-insights.md) + the change dir + 3 extension files. Other modified files (.env.example, docs/extension-pairing.md, src/services/pairing.service.js, k8s/*) belong to prior unrelated work and must not be staged with this change._
diff --git a/openspec/changes/update-extension-popup-url/.openspec.yaml b/openspec/changes/update-extension-popup-url/.openspec.yaml
new file mode 100644
index 0000000..40cc12f
--- /dev/null
+++ b/openspec/changes/update-extension-popup-url/.openspec.yaml
@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-05-12
diff --git a/openspec/changes/update-extension-popup-url/design.md b/openspec/changes/update-extension-popup-url/design.md
new file mode 100644
index 0000000..71f70fa
--- /dev/null
+++ b/openspec/changes/update-extension-popup-url/design.md
@@ -0,0 +1,73 @@
+## Context
+
+The VSCode extension pairs with the backend via the device-code flow documented in [docs/extension-pairing.md](docs/extension-pairing.md). The backend's `POST /api/v1/auth/pairings` endpoint returns a `verification_uri` that the extension opens in the user's browser. That URI is built from `FRONTEND_URL` in [src/services/pairing.service.js](src/services/pairing.service.js), with `http://localhost:5173` as the fallback.
+
+The production frontend now lives at `https://who-goes-to-try.hackathon.sev-2.com`. The Kubernetes deployment injects `FRONTEND_URL=https://who-goes-to-try.hackathon.sev-2.com` (the current uncommitted diff on [k8s/deployment.yaml](k8s/deployment.yaml) is doing exactly that). But the user does not want to ship that k8s edit — manifest churn is currently sensitive (TLS, ingress, middlewares are all being reworked in parallel). The application code default should make pairing work correctly even if no env var is set.
+
+Constraints:
+- Do not modify any file under [k8s/](k8s/).
+- Do not break local development, where `FRONTEND_URL=http://localhost:5173` is already in `.env`.
+- The response contract of `POST /api/v1/auth/pairings` must not change shape.
+
+## Goals / Non-Goals
+
+**Goals:**
+- The hackathon URL is the effective default for `verification_uri` whenever `FRONTEND_URL` is unset or empty.
+- Existing override behaviour via `FRONTEND_URL` is preserved.
+- The change is one focused diff in the pairing service plus matching doc/example updates.
+
+**Non-Goals:**
+- Changing Kubernetes manifests, ingress, TLS, or middleware config.
+- Restructuring the pairing flow, endpoints, or response schema.
+- Introducing a new config layer (e.g., a `config/` module) just for one URL.
+- Making the frontend or extension aware of the URL — they continue to consume `verification_uri` verbatim from the backend response.
+
+## Decisions
+
+### Decision 1: Change the fallback string in `getFrontendUrl()`
+
+Replace `'http://localhost:5173'` with `'https://who-goes-to-try.hackathon.sev-2.com'` as the fallback inside `getFrontendUrl()` in [src/services/pairing.service.js](src/services/pairing.service.js).
+
+**Rationale:** This is the smallest, most localised change. It keeps the env-var override path untouched and matches what the k8s manifest *would* have injected, so the runtime behaviour with or without the env var is now identical in production.
+
+**Alternative considered:** Introduce a new `PAIRING_VERIFICATION_URL` env var and central config module. Rejected — it adds surface area for a single-string config, and any future deployment that wants to override the host can still do so via `FRONTEND_URL` exactly as it does today.
+
+**Alternative considered:** Hardcode the hackathon URL without honouring `FRONTEND_URL`. Rejected — it would break local development (which depends on `http://localhost:5173`) and remove a useful escape hatch for other environments.
+
+### Decision 2: Also treat an empty `FRONTEND_URL` as "unset"
+
+The current code uses `process.env.FRONTEND_URL || 'http://localhost:5173'`, which already falls back when the value is `''` because of JavaScript truthiness. We preserve that behaviour explicitly in the requirement (see [`Scenario: FRONTEND_URL is set to an empty string`](specs/extension-integration/spec.md)) so a misconfigured pod with an empty env var still gets the safe production default.
+
+**Rationale:** Defensive: an empty env var is a common ops mistake and silently producing `https:///extension/pair` (or worse, leaving the default at localhost) would brick pairing.
+
+### Decision 3: Update `.env.example` and `docs/extension-pairing.md`
+
+`.env.example` becomes a documentation source of truth for new contributors. We change the example value to the hackathon URL and add a comment that the same URL is also the in-code default. `docs/extension-pairing.md` already mentions the hackathon host under "Configuration"; we add a sentence clarifying it is now the application-level default and does not require Kubernetes injection.
+
+**Rationale:** Keep code, example env, and docs in lockstep so the next person reading the docs doesn't wonder why `FRONTEND_URL` is in `.env.example` when "it isn't needed."
+
+### Decision 4: Leave existing tests as the verification surface
+
+Update or add a unit test for `getFrontendUrl()` (and/or `createPairing`) that covers the three scenarios in the spec: unset, set to localhost, and set with a trailing slash. No new test infrastructure is needed.
+
+## Risks / Trade-offs
+
+- **Risk:** Some non-production environment (e.g., a teammate's tunnel-based preview) relied on the old localhost default and never set `FRONTEND_URL`. → **Mitigation:** Anyone running the backend locally already has `FRONTEND_URL=http://localhost:5173` in their `.env` (it's in `.env.example`), and the override path is preserved. We'll call this out in the proposal/PR description.
+- **Risk:** The hackathon host changes again before the demo. → **Mitigation:** Future moves are still a one-line code edit plus an env override. Cheap to redo.
+- **Risk:** Cluster pods still inject `FRONTEND_URL` at the old localhost value somewhere we missed. → **Mitigation:** Confirm by hitting `POST /api/v1/auth/pairings` on the live host after deploy and asserting `verification_uri` starts with `https://who-goes-to-try.hackathon.sev-2.com`. The doc already shows this smoke-test curl.
+
+## Migration Plan
+
+1. Land the code + doc changes on `develop`.
+2. Deploy the backend image normally; no k8s manifest changes accompany the release.
+3. Smoke-test from any shell:
+   ```bash
+   curl -s -X POST https://who-goes-to-try.hackathon.sev-2.com/api/v1/auth/pairings | jq -r '.verification_uri'
+   ```
+   Expected: `https://who-goes-to-try.hackathon.sev-2.com/extension/pair`.
+4. Manually walk the extension pairing flow once end-to-end.
+5. **Rollback:** revert the single commit; no data migrations, no infra rollback needed.
+
+## Open Questions
+
+- None. The k8s `FRONTEND_URL` env (currently being added in uncommitted [k8s/deployment.yaml](k8s/deployment.yaml) diff) is intentionally **not** part of this change. If that diff is later committed by a separate change, it becomes a redundant-but-harmless override of the same value.
diff --git a/openspec/changes/update-extension-popup-url/proposal.md b/openspec/changes/update-extension-popup-url/proposal.md
new file mode 100644
index 0000000..198140d
--- /dev/null
+++ b/openspec/changes/update-extension-popup-url/proposal.md
@@ -0,0 +1,27 @@
+## Why
+
+Pairing currently builds `verification_uri` from `FRONTEND_URL`, which defaults to `http://localhost:5173`. In environments where that env var is not set (developer laptops, ad-hoc instances, the current cluster pods before redeploy), the extension opens localhost and pairing fails. We want the production hackathon host (`https://who-goes-to-try.hackathon.sev-2.com/extension/pair`) to be the effective default without changing Kubernetes manifests — those have churn we don't want to touch right now.
+
+## What Changes
+
+- Update `getFrontendUrl()` in `src/services/pairing.service.js` so the application code defaults `FRONTEND_URL` to `https://who-goes-to-try.hackathon.sev-2.com` instead of `http://localhost:5173`.
+- Keep the `FRONTEND_URL` env var as an override (e.g., local dev can still point to `http://localhost:5173`), so behaviour is unchanged where the env is set.
+- Update `.env.example` and `docs/extension-pairing.md` to reflect the new default and clarify that the hackathon URL is now baked in — no k8s change required to make pairing work.
+- No edits to `k8s/deployment.yaml`, `k8s/ingress.yaml`, or any other Kubernetes manifest.
+
+## Capabilities
+
+### New Capabilities
+<!-- none -->
+
+### Modified Capabilities
+- `extension-integration`: the verification URI returned by `POST /api/v1/auth/pairings` must default to the hackathon host when `FRONTEND_URL` is unset, instead of localhost.
+
+## Impact
+
+- Affected code: [src/services/pairing.service.js](src/services/pairing.service.js) (`getFrontendUrl` default value).
+- Affected docs: [.env.example](.env.example), [docs/extension-pairing.md](docs/extension-pairing.md).
+- Tests: any pairing service tests that assert the default URL must be updated.
+- No API contract change. The response shape of `POST /api/v1/auth/pairings` is unchanged; only the `verification_uri` value's default origin moves.
+- Local dev workflow unchanged when `FRONTEND_URL=http://localhost:5173` is set in `.env`.
+- No Kubernetes / infra changes. Existing pods that already inject `FRONTEND_URL` keep working identically.
diff --git a/openspec/changes/update-extension-popup-url/specs/extension-integration/spec.md b/openspec/changes/update-extension-popup-url/specs/extension-integration/spec.md
new file mode 100644
index 0000000..ed6ac2e
--- /dev/null
+++ b/openspec/changes/update-extension-popup-url/specs/extension-integration/spec.md
@@ -0,0 +1,25 @@
+## ADDED Requirements
+
+### Requirement: Pairing verification URI defaults to the hackathon host
+
+The pairing service SHALL build the `verification_uri` returned by `POST /api/v1/auth/pairings` from a frontend origin that defaults to `https://who-goes-to-try.hackathon.sev-2.com` when the `FRONTEND_URL` environment variable is unset or empty. The system SHALL continue to honour `FRONTEND_URL` as an override when it is set to a non-empty value, and SHALL trim trailing slashes from the resolved origin before appending `/extension/pair`.
+
+#### Scenario: FRONTEND_URL is unset in production-like environments
+
+- **WHEN** the backend process starts with no `FRONTEND_URL` set and the extension calls `POST /api/v1/auth/pairings`
+- **THEN** the response `verification_uri` SHALL equal `https://who-goes-to-try.hackathon.sev-2.com/extension/pair`
+
+#### Scenario: FRONTEND_URL override is honoured for local development
+
+- **WHEN** the backend process starts with `FRONTEND_URL=http://localhost:5173` and the extension calls `POST /api/v1/auth/pairings`
+- **THEN** the response `verification_uri` SHALL equal `http://localhost:5173/extension/pair`
+
+#### Scenario: FRONTEND_URL with a trailing slash is normalised
+
+- **WHEN** the backend process starts with `FRONTEND_URL=https://who-goes-to-try.hackathon.sev-2.com/` (with a trailing slash) and the extension calls `POST /api/v1/auth/pairings`
+- **THEN** the response `verification_uri` SHALL equal `https://who-goes-to-try.hackathon.sev-2.com/extension/pair` (no duplicate slash)
+
+#### Scenario: FRONTEND_URL is set to an empty string
+
+- **WHEN** the backend process starts with `FRONTEND_URL=""` and the extension calls `POST /api/v1/auth/pairings`
+- **THEN** the response `verification_uri` SHALL equal `https://who-goes-to-try.hackathon.sev-2.com/extension/pair` (empty value falls back to the hackathon default)
diff --git a/openspec/changes/update-extension-popup-url/tasks.md b/openspec/changes/update-extension-popup-url/tasks.md
new file mode 100644
index 0000000..1b6d254
--- /dev/null
+++ b/openspec/changes/update-extension-popup-url/tasks.md
@@ -0,0 +1,28 @@
+## 1. Update the pairing service default
+
+- [x] 1.1 In [src/services/pairing.service.js](src/services/pairing.service.js), change the fallback in `getFrontendUrl()` from `'http://localhost:5173'` to `'https://who-goes-to-try.hackathon.sev-2.com'`. Keep the `process.env.FRONTEND_URL ||` override and keep the trailing-slash stripping (`.replace(/\/+$/, '')`).
+- [x] 1.2 Sanity-check by running the service locally with `FRONTEND_URL` unset and confirming that `createPairing()` returns `verification_uri: 'https://who-goes-to-try.hackathon.sev-2.com/extension/pair'`. With `FRONTEND_URL=http://localhost:5173` set, confirm the override still wins.
+
+## 2. Update env example and docs
+
+- [x] 2.1 In [.env.example](.env.example), change the `FRONTEND_URL=http://localhost:5173` line to `FRONTEND_URL=https://who-goes-to-try.hackathon.sev-2.com` and update the surrounding comment to note this same value is the in-code default so the variable is now optional (set it only to override, e.g., for local dev). _Implementation note: kept example value as localhost (intended local override) and added comments documenting the hackathon URL is now the in-code default._
+- [x] 2.2 In [docs/extension-pairing.md](docs/extension-pairing.md), update the "Configuration" section so it states that `FRONTEND_URL` defaults to `https://who-goes-to-try.hackathon.sev-2.com` in application code and only needs to be set for non-production environments (typically `http://localhost:5173` for local dev). Keep the existing smoke-test `curl` example.
+
+## 3. Verify no Kubernetes manifest is touched
+
+- [x] 3.1 Run `git status` and confirm no file under [k8s/](k8s/) is staged by this change. (The uncommitted edits to `k8s/deployment.yaml` and `k8s/ingress.yaml` on the working tree are out of scope for this change and MUST remain unstaged or be reverted before opening the PR.) _Verified: nothing staged yet; k8s files remain unstaged in the working tree._
+- [x] 3.2 Run `git diff --stat` for the staged set and confirm only [src/services/pairing.service.js](src/services/pairing.service.js), [.env.example](.env.example), and [docs/extension-pairing.md](docs/extension-pairing.md) are modified (plus the OpenSpec change files). _Verified via `git diff --stat` against working tree; this change owns exactly those three source files plus the new OpenSpec directory._
+
+## 4. Verify the behaviour
+
+- [x] 4.1 ~~Add or update a unit test for `getFrontendUrl()`~~ — **Dropped.** The repo has no test framework (no `test` script, no Jest/Vitest/Mocha, no `__tests__` dirs); adding one for a single-line default change is out of scope. Behaviour was verified directly during task 1.2 with three `node -e` runs covering: unset env → hackathon default, explicit override → override wins, trailing slash → stripped.
+- [x] 4.2 ~~Run the project's existing test suite~~ — **Dropped.** No existing test suite to run; see 4.1.
+
+## 5. Post-deploy smoke check (follow-up, after merge & rollout)
+
+- [ ] 5.1 After the backend image rolls out, run:
+  ```bash
+  curl -s -X POST https://who-goes-to-try.hackathon.sev-2.com/api/v1/auth/pairings | jq -r '.verification_uri'
+  ```
+  and confirm the response is exactly `https://who-goes-to-try.hackathon.sev-2.com/extension/pair`.
+- [ ] 5.2 Walk the full pairing flow once: run **DevVital AI: Sign In** in the extension, approve in the browser, confirm the extension stores the `dvf_` token.
diff --git a/src/controllers/recommendations.controller.js b/src/controllers/recommendations.controller.js
index ac6c8a0..c57af0f 100644
--- a/src/controllers/recommendations.controller.js
+++ b/src/controllers/recommendations.controller.js
@@ -1,7 +1,14 @@
 import { QueryTypes } from 'sequelize';
 import { sequelize } from '../config/database.js';
+import logger from '../utils/logger.js';
+import {
+  evaluateUser,
+  expireLatestRecommendation,
+  createDemoRecommendation,
+} from '../services/insight-trigger.service.js';
 
 const VALID_ACTIONS = ['accepted', 'dismissed', 'snoozed'];
+const VALID_TRIGGER_MODES = ['real', 'force', 'demo'];
 
 function shapeRecommendation(row) {
   return {
@@ -67,6 +74,42 @@ export async function getRecent(req, res, next) {
   }
 }
 
+export async function triggerRecommendation(req, res, next) {
+  try {
+    const mode = req.body?.mode ?? 'real';
+    if (!VALID_TRIGGER_MODES.includes(mode)) {
+      return res.status(400).json({
+        error: 'Validation failed',
+        message: `mode must be one of ${VALID_TRIGGER_MODES.join(', ')}`,
+      });
+    }
+
+    let outcome;
+    if (mode === 'real') {
+      outcome = await evaluateUser(req.user.id);
+    } else if (mode === 'force') {
+      await expireLatestRecommendation(req.user.id);
+      outcome = await evaluateUser(req.user.id);
+    } else {
+      outcome = await createDemoRecommendation(req.user.id);
+    }
+
+    logger.info('recommendation-trigger', {
+      user_id: req.user.id,
+      mode,
+      outcome,
+    });
+
+    if (mode === 'demo' && outcome.skipped && outcome.reason === 'no_session') {
+      return res.status(409).json(outcome);
+    }
+
+    return res.status(200).json(outcome);
+  } catch (err) {
+    next(err);
+  }
+}
+
 export async function postAction(req, res, next) {
   try {
     const action = req.body?.action;
diff --git a/src/routes/recommendations.routes.js b/src/routes/recommendations.routes.js
index 0df03e4..5f70c7b 100644
--- a/src/routes/recommendations.routes.js
+++ b/src/routes/recommendations.routes.js
@@ -4,12 +4,14 @@ import {
   getPending,
   getRecent,
   postAction,
+  triggerRecommendation,
 } from '../controllers/recommendations.controller.js';
 
 const router = Router();
 
 router.get('/recommendations/pending', verifyJwt, getPending);
 router.get('/recommendations', verifyJwt, getRecent);
+router.post('/recommendations/trigger', verifyJwt, triggerRecommendation);
 router.post('/recommendations/:id/action', verifyJwt, postAction);
 
 export default router;
diff --git a/src/services/insight-trigger.service.js b/src/services/insight-trigger.service.js
index 3882b07..477d3a0 100644
--- a/src/services/insight-trigger.service.js
+++ b/src/services/insight-trigger.service.js
@@ -8,6 +8,10 @@ import {
 } from '../models/index.js';
 import { generateInsight, isConfigured as isGeminiConfigured } from './llm/gemini.service.js';
 
+const DEMO_RECOMMENDATION_TEXT =
+  "You've been heads-down for a while. Consider stepping away for 5 minutes — your next bug is probably hiding behind a clear head.";
+const DEMO_REASONING = 'Manually triggered demo recommendation; no Gemini call was made.';
+
 const ACTIVITY_WINDOW_MINUTES = () =>
   positiveInt(process.env.INSIGHT_ACTIVITY_WINDOW_MINUTES, 30);
 const COOLDOWN_MINUTES = () =>
@@ -243,3 +247,60 @@ export async function evaluateUser(userId) {
 export async function listCandidateUsers() {
   return listActiveUsers();
 }
+
+export async function expireLatestRecommendation(userId) {
+  const [, affected] = await sequelize.query(
+    `UPDATE recommendations
+        SET user_action = 'expired'
+      WHERE id = (
+        SELECT r.id
+          FROM recommendations r
+          JOIN workflow_states ws ON ws.id = r.workflow_state_id
+          JOIN sessions s ON s.id = ws.session_id
+         WHERE s.user_id = :user_id
+         ORDER BY r.created_at DESC
+         LIMIT 1
+      )
+        AND user_action IS NULL`,
+    { replacements: { user_id: userId } },
+  );
+  return typeof affected === 'number' ? affected : (affected?.rowCount ?? 0);
+}
+
+export async function createDemoRecommendation(userId) {
+  const session = await getCurrentSessionForUser(userId);
+  if (!session) {
+    return { skipped: true, reason: 'no_session' };
+  }
+
+  const recommendationId = await sequelize.transaction(async (t) => {
+    const workflowState = await WorkflowState.create(
+      {
+        session_id: session.id,
+        state_type: 'demo',
+        confidence_score: 1.0,
+      },
+      { transaction: t },
+    );
+
+    const recommendation = await Recommendation.create(
+      {
+        workflow_state_id: workflowState.id,
+        recommendation_type: 'execute',
+        recommendation_text: DEMO_RECOMMENDATION_TEXT,
+        code_context: { reasoning: DEMO_REASONING, triggered_rule: 'demo_trigger' },
+        user_action: null,
+      },
+      { transaction: t },
+    );
+
+    return recommendation.id;
+  });
+
+  logger.info('recommendation-trigger: demo recommendation created', {
+    user_id: userId,
+    recommendation_id: recommendationId,
+  });
+
+  return { skipped: false, mode: 'demo', recommendation_id: recommendationId };
+}
diff --git a/src/services/pairing.service.js b/src/services/pairing.service.js
index b87746e..81c3c39 100644
--- a/src/services/pairing.service.js
+++ b/src/services/pairing.service.js
@@ -10,8 +10,8 @@ const USER_CODE_HALF = 4;
 const TTL_SECONDS = 600;
 const CLEANUP_GRACE_SECONDS = 3600;
 
-function getFrontendUrl() {
-  return process.env.FRONTEND_URL || 'http://localhost:5173';
+export function getFrontendUrl() {
+  return (process.env.FRONTEND_URL || 'https://who-goes-to-try.hackathon.sev-2.com').replace(/\/+$/, '');
 }
 
 export function generateUserCode() {