diff --git a/.gitignore b/.gitignore
index 0da78950..00b23169 100644
--- a/.gitignore
+++ b/.gitignore
@@ -60,3 +60,4 @@ deploy/scripts/licence-*-private.pem
 
 # Claude Code local config
 .claude/
+.worktrees
diff --git a/apps/docs/docs/features/alerts.md b/apps/docs/docs/features/alerts.md
index be0beb09..bc915f01 100644
--- a/apps/docs/docs/features/alerts.md
+++ b/apps/docs/docs/features/alerts.md
@@ -27,8 +27,8 @@ When an alert instance is created or transitions state, a **notification** is ge
 
 ## Creating Alert Rules
 
-1. Navigate to **Alerts → Rules**
-2. Click **New Rule**
+1. Open a host and select **Monitoring → Alerts**
+2. Click **Add Rule**
 3. Configure:
 
 | Field | Description |
@@ -44,6 +44,20 @@ When an alert instance is created or transitions state, a **notification** is ge
 
 4. Click **Save**
 
+## Global Metric Defaults
+
+Global alert defaults are metric threshold templates. They are not evaluated for
+any host until an administrator applies them to that host.
+
+Administrators can apply those defaults when needed:
+- On a host's **Alerts** tab, **Use Metric Defaults** replaces that host's
+  host-level metric threshold rules with the current global defaults.
+- On **Administration → Monitoring**, **Apply to Hosts** replaces host-level
+  metric threshold rules across all hosts with the current global defaults.
+
+These actions only replace metric threshold rules. Check, certificate, Docker,
+silence, and notification settings are left unchanged.
+
 ---
 
 ## Silencing
diff --git a/apps/ingest/internal/handlers/terminal_ws.go b/apps/ingest/internal/handlers/terminal_ws.go
index a16df16d..1ab9479c 100644
--- a/apps/ingest/internal/handlers/terminal_ws.go
+++ b/apps/ingest/internal/handlers/terminal_ws.go
@@ -13,6 +13,7 @@ import (
 	"net"
 	"net/http"
 	"net/url"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -51,6 +52,7 @@ type wsMessage struct {
 	Code     int32  `json:"exit_code,omitempty"`
 	Token    string `json:"token,omitempty"`
 	Password string `json:"password,omitempty"`
+	Port     uint32 `json:"port,omitempty"`
 }
 
 func (h *TerminalWSHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -84,6 +86,12 @@ func (h *TerminalWSHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		conn.Close(websocket.StatusPolicyViolation, "invalid authentication")
 		return
 	}
+	sshPort, err := terminalSSHPort(authMsg.Port)
+	if err != nil {
+		writeWS(ctx, conn, wsMessage{Type: "error", Msg: "Invalid SSH port"})
+		conn.Close(websocket.StatusPolicyViolation, "invalid port")
+		return
+	}
 
 	tokenSum := sha256.Sum256([]byte(authMsg.Token))
 	info, err := queries.ValidateAndActivateTerminalSession(ctx, h.pool, sessionID, hex.EncodeToString(tokenSum[:]))
@@ -113,8 +121,8 @@ func (h *TerminalWSHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	slog.Info("terminal ws: opening SSH session", "session_id", sessionID, "host_id", info.HostID, "username", info.Username)
-	sshClient, sshSession, stdin, stdout, err := h.openSSHSession(ctx, info.HostID, info.Host, info.Username, authMsg.Password)
+	slog.Info("terminal ws: opening SSH session", "session_id", sessionID, "host_id", info.HostID, "username", info.Username, "port", sshPort)
+	sshClient, sshSession, stdin, stdout, err := h.openSSHSession(ctx, info.HostID, info.Host, info.Username, authMsg.Password, sshPort)
 	authMsg.Password = ""
 	if err != nil {
 		slog.Warn("terminal ws: SSH connection failed", "session_id", sessionID, "host_id", info.HostID, "username", info.Username, "err", err)
@@ -261,7 +269,7 @@ func terminalWSAcceptOptions(trustedOrigins []string) (*websocket.AcceptOptions,
 	}, nil
 }
 
-func (h *TerminalWSHandler) openSSHSession(ctx context.Context, hostID, host, username, password string) (*ssh.Client, *ssh.Session, io.WriteCloser, io.Reader, error) {
+func (h *TerminalWSHandler) openSSHSession(ctx context.Context, hostID, host, username, password, port string) (*ssh.Client, *ssh.Session, io.WriteCloser, io.Reader, error) {
 	config := &ssh.ClientConfig{
 		User: username,
 		Auth: []ssh.AuthMethod{
@@ -280,7 +288,7 @@ func (h *TerminalWSHandler) openSSHSession(ctx context.Context, hostID, host, us
 		Timeout: 30 * time.Second,
 	}
 
-	address := net.JoinHostPort(host, "22")
+	address := net.JoinHostPort(host, port)
 	type dialResult struct {
 		client *ssh.Client
 		err    error
@@ -352,6 +360,16 @@ func terminalRemoteAddr(remoteAddr string) string {
 	return remoteAddr
 }
 
+func terminalSSHPort(port uint32) (string, error) {
+	if port == 0 {
+		return "22", nil
+	}
+	if port > 65535 {
+		return "", fmt.Errorf("SSH port %d is out of range", port)
+	}
+	return strconv.FormatUint(uint64(port), 10), nil
+}
+
 func isSSHAuthenticationFailure(err error) bool {
 	var authErr *ssh.ServerAuthError
 	return errors.As(err, &authErr)
diff --git a/apps/ingest/internal/handlers/terminal_ws_security_test.go b/apps/ingest/internal/handlers/terminal_ws_security_test.go
index 60717eeb..3c01f160 100644
--- a/apps/ingest/internal/handlers/terminal_ws_security_test.go
+++ b/apps/ingest/internal/handlers/terminal_ws_security_test.go
@@ -55,6 +55,32 @@ func TestTerminalRemoteAddrNormalisesHostPort(t *testing.T) {
 	}
 }
 
+func TestTerminalSSHPortDefaultsToTwentyTwo(t *testing.T) {
+	got, err := terminalSSHPort(0)
+	if err != nil {
+		t.Fatalf("terminalSSHPort(0) error = %v", err)
+	}
+	if got != "22" {
+		t.Fatalf("terminalSSHPort(0) = %q, want 22", got)
+	}
+}
+
+func TestTerminalSSHPortAllowsCustomPort(t *testing.T) {
+	got, err := terminalSSHPort(2222)
+	if err != nil {
+		t.Fatalf("terminalSSHPort(2222) error = %v", err)
+	}
+	if got != "2222" {
+		t.Fatalf("terminalSSHPort(2222) = %q, want 2222", got)
+	}
+}
+
+func TestTerminalSSHPortRejectsOutOfRangePort(t *testing.T) {
+	if _, err := terminalSSHPort(65536); err == nil {
+		t.Fatal("expected terminalSSHPort(65536) to reject the port")
+	}
+}
+
 func TestIsSSHAuthenticationFailure(t *testing.T) {
 	if !isSSHAuthenticationFailure(&ssh.ServerAuthError{}) {
 		t.Fatal("expected ssh.ServerAuthError to count as an authentication failure")
diff --git a/apps/web/app/(dashboard)/hosts/[id]/alerts-tab.tsx b/apps/web/app/(dashboard)/hosts/[id]/alerts-tab.tsx
index 3dd007d8..5ce2a4f3 100644
--- a/apps/web/app/(dashboard)/hosts/[id]/alerts-tab.tsx
+++ b/apps/web/app/(dashboard)/hosts/[id]/alerts-tab.tsx
@@ -2,8 +2,8 @@
 
 import { useState } from 'react'
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
-import { formatDistanceToNow, format } from 'date-fns'
-import { Bell, Plus, Trash2, VolumeX, VolumeOff } from 'lucide-react'
+import { format } from 'date-fns'
+import { Bell, Plus, RotateCcw, Trash2, VolumeX, VolumeOff } from 'lucide-react'
 import { useForm, Controller } from 'react-hook-form'
 import { zodResolver } from '@hookform/resolvers/zod'
 import { z } from 'zod'
@@ -41,6 +41,7 @@ import {
   createAlertRule,
   updateAlertRule,
   deleteAlertRule,
+  replaceHostMetricAlertsWithGlobalDefaults,
   getAlertInstances,
   getActiveSilencesForHost,
   createSilence,
@@ -49,7 +50,7 @@ import {
 import { getChecksWithHistory } from '@/lib/actions/checks'
 import { getCertificates } from '@/lib/actions/certificates'
 import { getHostDockerContainers } from '@/lib/actions/docker-containers'
-import type { AlertRule, AlertSeverity, AlertSilence } from '@/lib/db/schema'
+import type { AlertRule, AlertSeverity } from '@/lib/db/schema'
 
 // ─── Form schema (flat — validation applied per conditionType in onSubmit) ─────
 
@@ -159,13 +160,11 @@ const silenceFormSchema = z.object({
 type SilenceFormValues = z.infer<typeof silenceFormSchema>
 
 function AddSilenceDialog({
-  scopeId,
   hostId,
   open,
   onOpenChange,
   onSuccess,
 }: {
-  scopeId: string
   hostId: string
   open: boolean
   onOpenChange: (v: boolean) => void
@@ -719,6 +718,7 @@ export function AlertsTab({ scopeId, hostId }: Props) {
   const qc = useQueryClient()
   const [addDialogOpen, setAddDialogOpen] = useState(false)
   const [addSilenceOpen, setAddSilenceOpen] = useState(false)
+  const [replaceMetricDefaultsError, setReplaceMetricDefaultsError] = useState<string | null>(null)
 
   const { data: allRules = [] } = useQuery({
     queryKey: ['alert-rules', scopeId, hostId],
@@ -757,6 +757,21 @@ export function AlertsTab({ scopeId, hostId }: Props) {
     onSuccess: () => qc.invalidateQueries({ queryKey: ['alert-rules', scopeId, hostId] }),
   })
 
+  const replaceMetricDefaultsMutation = useMutation({
+    mutationFn: async () => {
+      const result = await replaceHostMetricAlertsWithGlobalDefaults(hostId)
+      if ('error' in result) throw new Error(result.error)
+      return result
+    },
+    onMutate: () => setReplaceMetricDefaultsError(null),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['alert-rules', scopeId, hostId] }),
+    onError: (error) => {
+      setReplaceMetricDefaultsError(
+        error instanceof Error ? error.message : 'Failed to replace metric alert rules',
+      )
+    },
+  })
+
   const deleteSilenceMutation = useMutation({
     mutationFn: (silenceId: string) => deleteSilence(silenceId),
     onSuccess: () => qc.invalidateQueries({ queryKey: ['silences-active', scopeId, hostId] }),
@@ -810,13 +825,23 @@ export function AlertsTab({ scopeId, hostId }: Props) {
       )}
 
       {/* Host-specific rules */}
-      <Card>
-        <CardHeader className="flex flex-row items-start justify-between">
+      <Card data-testid="host-alert-rules-card">
+        <CardHeader className="flex flex-col gap-3 sm:flex-row sm:items-start sm:justify-between">
           <div>
             <CardTitle className="text-base">Alert Rules</CardTitle>
             <CardDescription className="mt-1">Rules that apply specifically to this host</CardDescription>
           </div>
-          <div className="flex items-center gap-2 shrink-0">
+          <div className="flex flex-wrap items-center gap-2 shrink-0">
+            <Button
+              size="sm"
+              variant="outline"
+              onClick={() => replaceMetricDefaultsMutation.mutate()}
+              disabled={replaceMetricDefaultsMutation.isPending}
+              data-testid="host-alerts-replace-metrics-with-defaults"
+            >
+              <RotateCcw className="size-3.5 mr-1" />
+              Use Metric Defaults
+            </Button>
             <Button size="sm" variant="outline" onClick={() => setAddSilenceOpen(true)}>
               <VolumeX className="size-3.5 mr-1" />
               Silence Host
@@ -828,6 +853,11 @@ export function AlertsTab({ scopeId, hostId }: Props) {
           </div>
         </CardHeader>
         <CardContent>
+          {replaceMetricDefaultsError != null && (
+            <p className="text-sm text-red-600 pb-3" data-testid="host-alerts-replace-metrics-error">
+              {replaceMetricDefaultsError}
+            </p>
+          )}
           {hostRules.length === 0 ? (
             <p className="text-sm text-muted-foreground py-4 text-center">
               No rules for this host yet. Add one to start alerting.
@@ -881,14 +911,14 @@ export function AlertsTab({ scopeId, hostId }: Props) {
         </CardContent>
       </Card>
 
-      {/* Global default rules (read-only) — these also apply to this host */}
+      {/* Global default rules (read-only) — templates available for this host */}
       <Card>
         <CardHeader>
           <div>
-            <CardTitle className="text-base">Instance-wide Default Rules</CardTitle>
+            <CardTitle className="text-base">Global Metric Defaults</CardTitle>
             <CardDescription className="mt-1">
-              These rules apply to <strong>all hosts</strong> in your instance and are
-              evaluated in addition to the host-specific rules above.{' '}
+              These defaults are not evaluated for this host until you apply them with{' '}
+              <strong>Use Metric Defaults</strong>.{' '}
               <a href="/settings/monitoring" className="underline underline-offset-2">
                 Manage in Administration → Monitoring
               </a>
@@ -899,7 +929,7 @@ export function AlertsTab({ scopeId, hostId }: Props) {
         <CardContent>
           {globalDefaults.length === 0 ? (
             <p className="text-sm text-muted-foreground py-4 text-center">
-              No instance-wide default rules configured.
+              No global metric defaults configured.
             </p>
           ) : (
             <Table>
@@ -940,7 +970,6 @@ export function AlertsTab({ scopeId, hostId }: Props) {
         onSuccess={() => qc.invalidateQueries({ queryKey: ['alert-rules', scopeId, hostId] })}
       />
       <AddSilenceDialog
-        scopeId={scopeId}
         hostId={hostId}
         open={addSilenceOpen}
         onOpenChange={setAddSilenceOpen}
diff --git a/apps/web/app/(dashboard)/hosts/[id]/host-terminal-launcher.tsx b/apps/web/app/(dashboard)/hosts/[id]/host-terminal-launcher.tsx
index aac5f57c..4d588592 100644
--- a/apps/web/app/(dashboard)/hosts/[id]/host-terminal-launcher.tsx
+++ b/apps/web/app/(dashboard)/hosts/[id]/host-terminal-launcher.tsx
@@ -7,6 +7,12 @@ import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import { useTerminalPanel } from '@/components/terminal'
 import { useSession } from '@/lib/auth/client'
+import {
+  DEFAULT_TERMINAL_SSH_PORT,
+  getTerminalSshPortStorageKey,
+  normaliseTerminalSshPort,
+  parseTerminalSshPort,
+} from '@/lib/terminal/ssh-port'
 import type { HostWithAgent } from '@/lib/actions/agents-core'
 
 interface Props {
@@ -42,9 +48,31 @@ export function HostTerminalLauncher({ host, directAccess, accessDeniedReason }:
   }, [storageKey])
   const savedUsername = useSyncExternalStore(subscribe, getSnapshot, () => '')
 
+  const portStorageKey = getTerminalSshPortStorageKey(host.id)
+  const subscribePort = useCallback((onChange: () => void) => {
+    if (typeof window === 'undefined') return () => {}
+    const handler = (e: StorageEvent) => {
+      if (e.key === portStorageKey) onChange()
+    }
+    window.addEventListener('storage', handler)
+    return () => window.removeEventListener('storage', handler)
+  }, [portStorageKey])
+  const getPortSnapshot = useCallback(() => {
+    if (typeof window === 'undefined') return String(DEFAULT_TERMINAL_SSH_PORT)
+    try {
+      return String(normaliseTerminalSshPort(localStorage.getItem(portStorageKey)))
+    } catch {
+      return String(DEFAULT_TERMINAL_SSH_PORT)
+    }
+  }, [portStorageKey])
+  const savedPortInput = useSyncExternalStore(subscribePort, getPortSnapshot, () => String(DEFAULT_TERMINAL_SSH_PORT))
+
   const [typedUsername, setTypedUsername] = useState<string | null>(null)
+  const [typedPortInput, setTypedPortInput] = useState<string | null>(null)
   const [password, setPassword] = useState('')
+  const [error, setError] = useState<string | null>(null)
   const username = typedUsername ?? savedUsername
+  const portInput = typedPortInput ?? savedPortInput
 
   if (accessDeniedReason) {
     return (
@@ -57,6 +85,12 @@ export function HostTerminalLauncher({ host, directAccess, accessDeniedReason }:
   }
 
   const handleOpen = () => {
+    const parsedPort = parseTerminalSshPort(portInput)
+    if (!parsedPort.ok) {
+      setError(parsedPort.error)
+      return
+    }
+
     if (!directAccess && username.trim() && session?.user?.id) {
       try {
         localStorage.setItem(`terminal-username:${session.user.id}:${host.id}`, username.trim())
@@ -68,10 +102,12 @@ export function HostTerminalLauncher({ host, directAccess, accessDeniedReason }:
       hostId: host.id,
       hostname: host.displayName ?? host.hostname,
       username: username.trim(),
+      port: parsedPort.port,
       password,
       directAccess: false,
     })
     setPassword('')
+    setError(null)
   }
 
   return (
@@ -95,10 +131,34 @@ export function HostTerminalLauncher({ host, directAccess, accessDeniedReason }:
           <Input
             id="host-terminal-username"
             value={username}
-            onChange={(e) => setTypedUsername(e.target.value)}
+            onChange={(e) => {
+              setTypedUsername(e.target.value)
+              setError(null)
+            }}
             placeholder="e.g. jsmith"
           />
         </div>
+        <div className="text-left space-y-1.5">
+          <Label htmlFor="host-terminal-port" className="text-sm">
+            SSH Port
+          </Label>
+          <Input
+            id="host-terminal-port"
+            type="number"
+            min={1}
+            max={65535}
+            step={1}
+            inputMode="numeric"
+            value={portInput}
+            onChange={(e) => {
+              setTypedPortInput(e.target.value)
+              setError(null)
+            }}
+            onKeyDown={(e) => {
+              if (e.key === 'Enter' && username.trim() && password && portInput.trim()) handleOpen()
+            }}
+          />
+        </div>
         <div className="text-left space-y-1.5">
           <Label htmlFor="host-terminal-password" className="text-sm">
             <KeyRound className="size-3.5 inline mr-1" />
@@ -108,14 +168,22 @@ export function HostTerminalLauncher({ host, directAccess, accessDeniedReason }:
             id="host-terminal-password"
             type="password"
             value={password}
-            onChange={(e) => setPassword(e.target.value)}
+            onChange={(e) => {
+              setPassword(e.target.value)
+              setError(null)
+            }}
             autoComplete="current-password"
             onKeyDown={(e) => {
-              if (e.key === 'Enter' && username.trim() && password) handleOpen()
+              if (e.key === 'Enter' && username.trim() && password && portInput.trim()) handleOpen()
             }}
           />
         </div>
-        <Button onClick={handleOpen} disabled={!username.trim() || !password}>
+        {error && (
+          <div className="rounded-md bg-destructive/10 border border-destructive/20 px-3 py-2 text-left text-sm text-destructive">
+            {error}
+          </div>
+        )}
+        <Button onClick={handleOpen} disabled={!username.trim() || !password || !portInput.trim()}>
           <Terminal className="size-4 mr-1.5" />
           Open Terminal
         </Button>
diff --git a/apps/web/app/(dashboard)/hosts/networks/components/host-node-terminal-dialog.tsx b/apps/web/app/(dashboard)/hosts/networks/components/host-node-terminal-dialog.tsx
index 295b2f8d..6e84e910 100644
--- a/apps/web/app/(dashboard)/hosts/networks/components/host-node-terminal-dialog.tsx
+++ b/apps/web/app/(dashboard)/hosts/networks/components/host-node-terminal-dialog.tsx
@@ -13,6 +13,12 @@ import {
 import { Button } from '@/components/ui/button'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
+import {
+  DEFAULT_TERMINAL_SSH_PORT,
+  getTerminalSshPortStorageKey,
+  normaliseTerminalSshPort,
+  parseTerminalSshPort,
+} from '@/lib/terminal/ssh-port'
 import type { HostNodeData } from './network-flow-nodes'
 
 interface Props {
@@ -38,8 +44,21 @@ function TerminalConnectForm({
     }
   })
   const [password, setPassword] = useState('')
+  const [portInput, setPortInput] = useState(() => {
+    try {
+      return String(normaliseTerminalSshPort(localStorage.getItem(getTerminalSshPortStorageKey(data.hostId))))
+    } catch {
+      return String(DEFAULT_TERMINAL_SSH_PORT)
+    }
+  })
+  const [error, setError] = useState<string | null>(null)
 
   const handleConnect = useCallback(() => {
+    const parsedPort = parseTerminalSshPort(portInput)
+    if (!parsedPort.ok) {
+      setError(parsedPort.error)
+      return
+    }
     try {
       if (username.trim()) {
         localStorage.setItem(`terminal-username:${data.hostId}`, username.trim())
@@ -51,12 +70,14 @@ function TerminalConnectForm({
       hostId: data.hostId,
       hostname: data.name,
       username: username.trim(),
+      port: parsedPort.port,
       password,
       directAccess: false,
     })
     setPassword('')
+    setError(null)
     onOpenChange(false)
-  }, [data, username, password, openTerminal, onOpenChange])
+  }, [data, username, portInput, password, openTerminal, onOpenChange])
 
   return (
     <>
@@ -68,11 +89,33 @@ function TerminalConnectForm({
         <Input
           id="host-graph-username"
           value={username}
-          onChange={(e) => setUsername(e.target.value)}
+          onChange={(e) => {
+            setUsername(e.target.value)
+            setError(null)
+          }}
           placeholder="e.g. jsmith"
           autoFocus
           onKeyDown={(e) => {
-            if (e.key === 'Enter' && username.trim() && password) handleConnect()
+            if (e.key === 'Enter' && username.trim() && password && portInput.trim()) handleConnect()
+          }}
+        />
+      </div>
+      <div className="space-y-2">
+        <Label htmlFor="host-graph-port">SSH Port</Label>
+        <Input
+          id="host-graph-port"
+          type="number"
+          min={1}
+          max={65535}
+          step={1}
+          inputMode="numeric"
+          value={portInput}
+          onChange={(e) => {
+            setPortInput(e.target.value)
+            setError(null)
+          }}
+          onKeyDown={(e) => {
+            if (e.key === 'Enter' && username.trim() && password && portInput.trim()) handleConnect()
           }}
         />
       </div>
@@ -85,18 +128,26 @@ function TerminalConnectForm({
           id="host-graph-password"
           type="password"
           value={password}
-          onChange={(e) => setPassword(e.target.value)}
+          onChange={(e) => {
+            setPassword(e.target.value)
+            setError(null)
+          }}
           autoComplete="current-password"
           onKeyDown={(e) => {
-            if (e.key === 'Enter' && username.trim() && password) handleConnect()
+            if (e.key === 'Enter' && username.trim() && password && portInput.trim()) handleConnect()
           }}
         />
       </div>
+      {error && (
+        <div className="rounded-md bg-destructive/10 border border-destructive/20 px-3 py-2 text-sm text-destructive">
+          {error}
+        </div>
+      )}
       <DialogFooter>
         <Button variant="outline" onClick={() => onOpenChange(false)}>
           Cancel
         </Button>
-        <Button onClick={handleConnect} disabled={!username.trim() || !password}>
+        <Button onClick={handleConnect} disabled={!username.trim() || !password || !portInput.trim()}>
           <Terminal className="size-4 mr-1.5" />
           Connect
         </Button>
@@ -108,7 +159,7 @@ function TerminalConnectForm({
 export function HostNodeTerminalDialog({ data, open, onOpenChange }: Props) {
   return (
     <Dialog open={open} onOpenChange={onOpenChange}>
-      <DialogContent className="sm:max-w-xs">
+      <DialogContent className="sm:max-w-sm">
         {data && (
           <TerminalConnectForm key={data.hostId} data={data} onOpenChange={onOpenChange} />
         )}
diff --git a/apps/web/app/(dashboard)/settings/alerts/alerts-client.tsx b/apps/web/app/(dashboard)/settings/alerts/alerts-client.tsx
index e972fd6e..2eced105 100644
--- a/apps/web/app/(dashboard)/settings/alerts/alerts-client.tsx
+++ b/apps/web/app/(dashboard)/settings/alerts/alerts-client.tsx
@@ -2,7 +2,7 @@
 
 import { useState } from 'react'
 import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query'
-import { Bell, Info, Plus, Trash2 } from 'lucide-react'
+import { Bell, Info, Plus, RotateCcw, Trash2 } from 'lucide-react'
 import { useForm, Controller } from 'react-hook-form'
 import { zodResolver } from '@hookform/resolvers/zod'
 import { z } from 'zod'
@@ -37,6 +37,7 @@ import {
   getGlobalAlertDefaults,
   createGlobalAlertDefault,
   deleteGlobalAlertDefault,
+  replaceAllHostMetricAlertsWithGlobalDefaults,
 } from '@/lib/actions/alerts'
 import type { AlertRule, AlertSeverity } from '@/lib/db/schema'
 
@@ -224,6 +225,8 @@ interface GlobalAlertsClientProps {
 
 export function GlobalAlertsClient({ initialDefaults }: GlobalAlertsClientProps) {
   const [dialogOpen, setDialogOpen] = useState(false)
+  const [replaceAllMessage, setReplaceAllMessage] = useState<string | null>(null)
+  const [replaceAllError, setReplaceAllError] = useState<string | null>(null)
   const queryClient = useQueryClient()
 
   const { data: defaults = initialDefaults } = useQuery({
@@ -237,18 +240,40 @@ export function GlobalAlertsClient({ initialDefaults }: GlobalAlertsClientProps)
     onSuccess: () => queryClient.invalidateQueries({ queryKey: ['global-alert-defaults'] }),
   })
 
+  const replaceAllMutation = useMutation({
+    mutationFn: async () => {
+      const result = await replaceAllHostMetricAlertsWithGlobalDefaults()
+      if ('error' in result) throw new Error(result.error)
+      return result
+    },
+    onMutate: () => {
+      setReplaceAllError(null)
+      setReplaceAllMessage(null)
+    },
+    onSuccess: (result) => {
+      setReplaceAllMessage(
+        `Updated ${result.hostCount} host${result.hostCount === 1 ? '' : 's'} with ${result.createdCount} metric default rule${result.createdCount === 1 ? '' : 's'}.`,
+      )
+    },
+    onError: (error) => {
+      setReplaceAllError(
+        error instanceof Error ? error.message : 'Failed to replace host metric alert rules',
+      )
+    },
+  })
+
   return (
     <div className="space-y-6 p-6 max-w-4xl">
       <div>
         <h1 className="text-2xl font-semibold tracking-tight" data-testid="settings-alert-defaults-heading">Global Alert Defaults</h1>
         <p className="text-sm text-muted-foreground mt-1">
-          These metric alert rules are automatically applied to every new host when an agent is approved.
-          After a host is added you can remove individual rules from the host&apos;s Alerts tab.
+          These metric alert rules are templates. Apply them to selected hosts when you want those hosts
+          to use the current defaults.
         </p>
       </div>
 
       <Card>
-        <CardHeader className="flex flex-row items-start justify-between pb-3">
+        <CardHeader className="flex flex-col gap-3 pb-3 sm:flex-row sm:items-start sm:justify-between">
           <div>
             <CardTitle className="text-base flex items-center gap-2">
               <Bell className="size-4" />
@@ -259,18 +284,40 @@ export function GlobalAlertsClient({ initialDefaults }: GlobalAlertsClientProps)
               Check-based rules must be configured per host since they reference host-specific checks.
             </CardDescription>
           </div>
-          <Button size="sm" onClick={() => setDialogOpen(true)} data-testid="settings-alert-defaults-add">
-            <Plus className="size-4 mr-1" />
-            Add Default
-          </Button>
+          <div className="flex flex-wrap items-center gap-2 shrink-0">
+            <Button
+              size="sm"
+              variant="outline"
+              onClick={() => replaceAllMutation.mutate()}
+              disabled={replaceAllMutation.isPending}
+              data-testid="settings-alert-defaults-replace-all-host-metrics"
+            >
+              <RotateCcw className="size-4 mr-1" />
+              Apply to Hosts
+            </Button>
+            <Button size="sm" onClick={() => setDialogOpen(true)} data-testid="settings-alert-defaults-add">
+              <Plus className="size-4 mr-1" />
+              Add Default
+            </Button>
+          </div>
         </CardHeader>
         <CardContent>
+          {replaceAllError != null && (
+            <p className="text-sm text-red-600 pb-3" data-testid="settings-alert-defaults-replace-error">
+              {replaceAllError}
+            </p>
+          )}
+          {replaceAllMessage != null && (
+            <p className="text-sm text-green-700 pb-3" data-testid="settings-alert-defaults-replace-success">
+              {replaceAllMessage}
+            </p>
+          )}
           {defaults.length === 0 ? (
             <div className="flex flex-col items-center justify-center gap-2 py-10 text-center" data-testid="settings-alert-defaults-empty">
               <Bell className="size-8 text-muted-foreground/40" />
               <p className="text-sm text-muted-foreground">No global alert defaults configured.</p>
               <p className="text-xs text-muted-foreground">
-                Add defaults above and they&apos;ll be applied to each new host automatically.
+                Add defaults above, then use Apply to Hosts when you want hosts to adopt them.
               </p>
             </div>
           ) : (
@@ -314,8 +361,8 @@ export function GlobalAlertsClient({ initialDefaults }: GlobalAlertsClientProps)
       <div className="flex items-start gap-2 rounded-lg border border-blue-200 bg-blue-50 p-4 text-sm text-blue-800">
         <Info className="size-4 mt-0.5 shrink-0" />
         <p>
-          Changes to global defaults only affect newly approved hosts. Existing hosts are not modified.
-          To update alert rules on existing hosts, go to the host&apos;s Alerts tab.
+          Global defaults are not evaluated directly on hosts. Use Apply to Hosts to replace
+          existing host-level metric rules with these defaults.
         </p>
       </div>
 
diff --git a/apps/web/app/(dashboard)/settings/ldap/ldap-client.tsx b/apps/web/app/(dashboard)/settings/ldap/ldap-client.tsx
index 5be16f57..4506dde9 100644
--- a/apps/web/app/(dashboard)/settings/ldap/ldap-client.tsx
+++ b/apps/web/app/(dashboard)/settings/ldap/ldap-client.tsx
@@ -35,6 +35,22 @@ import {
 } from '@/lib/actions/ldap'
 import type { LdapConfigurationSafe } from '@/lib/actions/ldap'
 
+const AD_DEFAULTS = {
+  userSearchFilter: '(sAMAccountName={{username}})',
+  usernameAttribute: 'sAMAccountName',
+  emailAttribute: 'mail',
+  displayNameAttribute: 'displayName',
+}
+
+const AD_PLACEHOLDERS = {
+  host: 'dc01.corp.example.com',
+  baseDn: 'DC=corp,DC=example,DC=com',
+  bindDn: 'CN=svc-ldap,OU=Service Accounts,DC=corp,DC=example,DC=com',
+  userSearchBase: 'OU=Users',
+  groupSearchBase: 'OU=Groups',
+  groupSearchFilter: '(objectClass=group)',
+}
+
 const EMPTY_FORM = {
   name: '',
   host: '',
@@ -46,12 +62,12 @@ const EMPTY_FORM = {
   bindDn: '',
   bindPassword: '',
   userSearchBase: '',
-  userSearchFilter: '(uid={{username}})',
+  userSearchFilter: AD_DEFAULTS.userSearchFilter,
   groupSearchBase: '',
   groupSearchFilter: '',
-  usernameAttribute: 'uid',
-  emailAttribute: 'mail',
-  displayNameAttribute: 'cn',
+  usernameAttribute: AD_DEFAULTS.usernameAttribute,
+  emailAttribute: AD_DEFAULTS.emailAttribute,
+  displayNameAttribute: AD_DEFAULTS.displayNameAttribute,
   allowLogin: false,
 }
 
@@ -275,7 +291,7 @@ export function LdapSettingsClient({
                   <Input
                     value={addForm.host}
                     onChange={(e) => setAddForm({ ...addForm, host: e.target.value })}
-                    placeholder="ldap.example.com"
+                    placeholder={AD_PLACEHOLDERS.host}
                     data-testid="ldap-settings-add-host"
                   />
                 </div>
@@ -315,7 +331,7 @@ export function LdapSettingsClient({
                 <Input
                   value={addForm.baseDn}
                   onChange={(e) => setAddForm({ ...addForm, baseDn: e.target.value })}
-                  placeholder="dc=example,dc=com"
+                  placeholder={AD_PLACEHOLDERS.baseDn}
                   data-testid="ldap-settings-add-base-dn"
                 />
               </div>
@@ -324,7 +340,7 @@ export function LdapSettingsClient({
                 <Input
                   value={addForm.bindDn}
                   onChange={(e) => setAddForm({ ...addForm, bindDn: e.target.value })}
-                  placeholder="cn=admin,dc=example,dc=com"
+                  placeholder={AD_PLACEHOLDERS.bindDn}
                   data-testid="ldap-settings-add-bind-dn"
                 />
               </div>
@@ -342,7 +358,8 @@ export function LdapSettingsClient({
                 <Input
                   value={addForm.userSearchBase}
                   onChange={(e) => setAddForm({ ...addForm, userSearchBase: e.target.value })}
-                  placeholder="ou=users"
+                  placeholder={AD_PLACEHOLDERS.userSearchBase}
+                  data-testid="ldap-settings-add-user-search-base"
                 />
               </div>
               <div className="space-y-1.5">
@@ -350,7 +367,55 @@ export function LdapSettingsClient({
                 <Input
                   value={addForm.userSearchFilter}
                   onChange={(e) => setAddForm({ ...addForm, userSearchFilter: e.target.value })}
-                  placeholder="(uid={{username}})"
+                  placeholder={AD_DEFAULTS.userSearchFilter}
+                  data-testid="ldap-settings-add-user-filter"
+                />
+              </div>
+              <div className="grid grid-cols-3 gap-3">
+                <div className="space-y-1.5">
+                  <Label>Username Attr</Label>
+                  <Input
+                    value={addForm.usernameAttribute}
+                    onChange={(e) => setAddForm({ ...addForm, usernameAttribute: e.target.value })}
+                    placeholder={AD_DEFAULTS.usernameAttribute}
+                    data-testid="ldap-settings-add-username-attribute"
+                  />
+                </div>
+                <div className="space-y-1.5">
+                  <Label>Email Attr</Label>
+                  <Input
+                    value={addForm.emailAttribute}
+                    onChange={(e) => setAddForm({ ...addForm, emailAttribute: e.target.value })}
+                    placeholder={AD_DEFAULTS.emailAttribute}
+                    data-testid="ldap-settings-add-email-attribute"
+                  />
+                </div>
+                <div className="space-y-1.5">
+                  <Label>Display Name Attr</Label>
+                  <Input
+                    value={addForm.displayNameAttribute}
+                    onChange={(e) => setAddForm({ ...addForm, displayNameAttribute: e.target.value })}
+                    placeholder={AD_DEFAULTS.displayNameAttribute}
+                    data-testid="ldap-settings-add-display-name-attribute"
+                  />
+                </div>
+              </div>
+              <div className="space-y-1.5">
+                <Label>Group Search Base (optional)</Label>
+                <Input
+                  value={addForm.groupSearchBase}
+                  onChange={(e) => setAddForm({ ...addForm, groupSearchBase: e.target.value })}
+                  placeholder={AD_PLACEHOLDERS.groupSearchBase}
+                  data-testid="ldap-settings-add-group-search-base"
+                />
+              </div>
+              <div className="space-y-1.5">
+                <Label>Group Search Filter (optional)</Label>
+                <Input
+                  value={addForm.groupSearchFilter}
+                  onChange={(e) => setAddForm({ ...addForm, groupSearchFilter: e.target.value })}
+                  placeholder={AD_PLACEHOLDERS.groupSearchFilter}
+                  data-testid="ldap-settings-add-group-filter"
                 />
               </div>
               <div className="flex items-center justify-between">
@@ -513,7 +578,7 @@ export function LdapSettingsClient({
               <Input
                 value={editForm.host}
                 onChange={(e) => setEditForm({ ...editForm, host: e.target.value })}
-                placeholder="ldap.example.com"
+                placeholder={AD_PLACEHOLDERS.host}
                 data-testid="ldap-settings-edit-host"
               />
               </div>
@@ -554,7 +619,7 @@ export function LdapSettingsClient({
               <Input
                 value={editForm.baseDn}
                 onChange={(e) => setEditForm({ ...editForm, baseDn: e.target.value })}
-                placeholder="dc=example,dc=com"
+                placeholder={AD_PLACEHOLDERS.baseDn}
               />
             </div>
             <div className="space-y-1.5">
@@ -562,7 +627,7 @@ export function LdapSettingsClient({
               <Input
                 value={editForm.bindDn}
                 onChange={(e) => setEditForm({ ...editForm, bindDn: e.target.value })}
-                placeholder="cn=admin,dc=example,dc=com"
+                placeholder={AD_PLACEHOLDERS.bindDn}
               />
             </div>
             <div className="space-y-1.5">
@@ -579,7 +644,7 @@ export function LdapSettingsClient({
               <Input
                 value={editForm.userSearchBase}
                 onChange={(e) => setEditForm({ ...editForm, userSearchBase: e.target.value })}
-                placeholder="ou=users"
+                placeholder={AD_PLACEHOLDERS.userSearchBase}
               />
             </div>
             <div className="space-y-1.5">
@@ -587,7 +652,7 @@ export function LdapSettingsClient({
               <Input
                 value={editForm.userSearchFilter}
                 onChange={(e) => setEditForm({ ...editForm, userSearchFilter: e.target.value })}
-                placeholder="(uid={{username}})"
+                placeholder={AD_DEFAULTS.userSearchFilter}
                 data-testid="ldap-settings-edit-user-filter"
               />
             </div>
@@ -597,6 +662,7 @@ export function LdapSettingsClient({
                 <Input
                   value={editForm.usernameAttribute}
                   onChange={(e) => setEditForm({ ...editForm, usernameAttribute: e.target.value })}
+                  placeholder={AD_DEFAULTS.usernameAttribute}
                 />
               </div>
               <div className="space-y-1.5">
@@ -604,6 +670,7 @@ export function LdapSettingsClient({
                 <Input
                   value={editForm.emailAttribute}
                   onChange={(e) => setEditForm({ ...editForm, emailAttribute: e.target.value })}
+                  placeholder={AD_DEFAULTS.emailAttribute}
                 />
               </div>
               <div className="space-y-1.5">
@@ -611,6 +678,7 @@ export function LdapSettingsClient({
                 <Input
                   value={editForm.displayNameAttribute}
                   onChange={(e) => setEditForm({ ...editForm, displayNameAttribute: e.target.value })}
+                  placeholder={AD_DEFAULTS.displayNameAttribute}
                 />
               </div>
             </div>
@@ -619,7 +687,7 @@ export function LdapSettingsClient({
               <Input
                 value={editForm.groupSearchBase}
                 onChange={(e) => setEditForm({ ...editForm, groupSearchBase: e.target.value })}
-                placeholder="ou=groups"
+                placeholder={AD_PLACEHOLDERS.groupSearchBase}
               />
             </div>
             <div className="space-y-1.5">
@@ -627,7 +695,7 @@ export function LdapSettingsClient({
               <Input
                 value={editForm.groupSearchFilter}
                 onChange={(e) => setEditForm({ ...editForm, groupSearchFilter: e.target.value })}
-                placeholder="(objectClass=groupOfNames)"
+                placeholder={AD_PLACEHOLDERS.groupSearchFilter}
               />
             </div>
             <div className="flex items-center justify-between">
diff --git a/apps/web/components/terminal/host-selector-dialog.tsx b/apps/web/components/terminal/host-selector-dialog.tsx
index 0470d78e..b7d5f01a 100644
--- a/apps/web/components/terminal/host-selector-dialog.tsx
+++ b/apps/web/components/terminal/host-selector-dialog.tsx
@@ -18,6 +18,12 @@ import { Badge } from '@/components/ui/badge'
 import { listHosts } from '@/lib/actions/agents'
 import { checkTerminalAccess } from '@/lib/actions/terminal'
 import { useSession } from '@/lib/auth/client'
+import {
+  DEFAULT_TERMINAL_SSH_PORT,
+  getTerminalSshPortStorageKey,
+  normaliseTerminalSshPort,
+  parseTerminalSshPort,
+} from '@/lib/terminal/ssh-port'
 import { useTerminalPanel } from './terminal-panel-context'
 
 interface Props {
@@ -34,6 +40,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
   const { data: session } = useSession()
   const [typedUsername, setTypedUsername] = useState<string | null>(null)
   const [password, setPassword] = useState('')
+  const [portInput, setPortInput] = useState(String(DEFAULT_TERMINAL_SSH_PORT))
 
   const { data: hosts = [], isLoading } = useQuery({
     queryKey: ['hosts'],
@@ -101,6 +108,19 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
 
   const username = typedUsername ?? savedUsername
 
+  const readSavedPortInput = (hostId: string) => {
+    try {
+      return String(normaliseTerminalSshPort(localStorage.getItem(getTerminalSshPortStorageKey(hostId))))
+    } catch {
+      return String(DEFAULT_TERMINAL_SSH_PORT)
+    }
+  }
+
+  const handleSelectHost = (hostId: string) => {
+    setSelectedHostId(hostId)
+    setPortInput(readSavedPortInput(hostId))
+  }
+
   const handleConnect = async () => {
     if (!selectedHost) return
 
@@ -117,6 +137,11 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
       setError('Password is required for SSH terminal access')
       return
     }
+    const parsedPort = parseTerminalSshPort(portInput)
+    if (!parsedPort.ok) {
+      setError(parsedPort.error)
+      return
+    }
 
     setConnecting(true)
     setError(null)
@@ -134,6 +159,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
       hostId: selectedHost.id,
       hostname: selectedHost.displayName ?? selectedHost.hostname,
       username: username.trim(),
+      port: parsedPort.port,
       password,
       directAccess: false,
     })
@@ -143,6 +169,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
     setSelectedHostId(null)
     setTypedUsername(null)
     setPassword('')
+    setPortInput(String(DEFAULT_TERMINAL_SSH_PORT))
     setError(null)
     setConnecting(false)
     onOpenChange(false)
@@ -152,6 +179,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
     setSelectedHostId(null)
     setTypedUsername(null)
     setPassword('')
+    setPortInput(String(DEFAULT_TERMINAL_SSH_PORT))
     setError(null)
   }
 
@@ -161,6 +189,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
       setSelectedHostId(null)
       setTypedUsername(null)
       setPassword('')
+      setPortInput(String(DEFAULT_TERMINAL_SSH_PORT))
       setError(null)
     }
     onOpenChange(nextOpen)
@@ -210,7 +239,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
                     <button
                       key={host.id}
                       className="flex items-center gap-3 w-full px-3 py-2.5 text-left hover:bg-muted/50 transition-colors"
-                      onClick={() => setSelectedHostId(host.id)}
+                      onClick={() => handleSelectHost(host.id)}
                     >
                       <Server className="size-4 text-muted-foreground shrink-0" />
                       <div className="flex-1 min-w-0">
@@ -275,6 +304,27 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
                     autoFocus
                   />
                 </div>
+                <div className="space-y-2">
+                  <Label htmlFor="host-selector-port" className="text-sm font-medium">
+                    SSH Port
+                  </Label>
+                  <Input
+                    id="host-selector-port"
+                    type="number"
+                    min={1}
+                    max={65535}
+                    step={1}
+                    inputMode="numeric"
+                    value={portInput}
+                    onChange={(e) => {
+                      setPortInput(e.target.value)
+                      setError(null)
+                    }}
+                    onKeyDown={(e) => {
+                      if (e.key === 'Enter' && username.trim() && password && portInput.trim()) handleConnect()
+                    }}
+                  />
+                </div>
                 <div className="space-y-2">
                   <Label htmlFor="host-selector-password" className="text-sm font-medium">
                     <KeyRound className="size-3.5 inline mr-1.5" />
@@ -290,7 +340,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
                     }}
                     autoComplete="current-password"
                     onKeyDown={(e) => {
-                      if (e.key === 'Enter' && username.trim() && password) handleConnect()
+                      if (e.key === 'Enter' && username.trim() && password && portInput.trim()) handleConnect()
                     }}
                   />
                   <p className="text-xs text-muted-foreground">
@@ -317,7 +367,7 @@ export function HostSelectorDialog({ open, onOpenChange }: Props) {
           {selectedHostId && terminalAccess?.allowed && (
             <Button
               onClick={handleConnect}
-              disabled={connecting || !username.trim() || !password}
+              disabled={connecting || !username.trim() || !password || !portInput.trim()}
             >
               {connecting ? (
                 <Loader2 className="size-4 mr-1.5 animate-spin" />
diff --git a/apps/web/components/terminal/terminal-panel-context.tsx b/apps/web/components/terminal/terminal-panel-context.tsx
index c02cf8bb..cfa9919a 100644
--- a/apps/web/components/terminal/terminal-panel-context.tsx
+++ b/apps/web/components/terminal/terminal-panel-context.tsx
@@ -3,6 +3,7 @@
 import { createContext, useContext, useState, useCallback, useEffect } from 'react'
 import { createId } from '@paralleldrive/cuid2'
 import { clearTerminalPasswordForTab } from '@/lib/terminal/tab-state'
+import { normaliseTerminalSshPort } from '@/lib/terminal/ssh-port'
 
 export type TerminalTabColor =
   | 'slate'
@@ -21,6 +22,7 @@ export interface TerminalSessionBinding {
   hostId: string
   hostname: string
   username: string
+  port: number
   password?: string
   directAccess: false
 }
@@ -58,6 +60,7 @@ interface TerminalPanelActions {
     hostId: string
     hostname: string
     username: string
+    port: number
     password: string
     directAccess: false
   }) => void
@@ -192,6 +195,7 @@ function isValidBinding(value: unknown): value is TerminalSessionBinding {
     typeof b.hostId === 'string' &&
     typeof b.hostname === 'string' &&
     typeof b.username === 'string' &&
+    (b.port === undefined || (typeof b.port === 'number' && Number.isFinite(b.port))) &&
     b.directAccess === false
   )
 }
@@ -236,7 +240,10 @@ function loadPersistedState(): TerminalPanelState | null {
 
     const tabs: TerminalTabInfo[] = parsed.tabs.map((t) => ({
       id: createId(),
-      binding: t.binding,
+      binding: {
+        ...t.binding,
+        port: normaliseTerminalSshPort(t.binding.port),
+      },
       color: t.color,
       label: t.label,
       paneTree: t.paneTree,
@@ -326,6 +333,7 @@ export function TerminalPanelProvider({ children }: { children: React.ReactNode
       hostId: string
       hostname: string
       username: string
+      port: number
       password: string
       directAccess: false
     }) => {
@@ -333,7 +341,7 @@ export function TerminalPanelProvider({ children }: { children: React.ReactNode
       const paneId = createId()
       const tab: TerminalTabInfo = {
         id: tabId,
-        binding: { ...params },
+        binding: { ...params, port: normaliseTerminalSshPort(params.port) },
         color: null,
         label: null,
         paneTree: { type: 'leaf', id: paneId },
diff --git a/apps/web/components/terminal/terminal-session.tsx b/apps/web/components/terminal/terminal-session.tsx
index a65305b8..1aab7845 100644
--- a/apps/web/components/terminal/terminal-session.tsx
+++ b/apps/web/components/terminal/terminal-session.tsx
@@ -2,6 +2,7 @@
 
 import { useRef, useEffect, useCallback } from 'react'
 import { createTerminalSession } from '@/lib/actions/terminal'
+import { getTerminalSshPortStorageKey } from '@/lib/terminal/ssh-port'
 import type { TerminalSessionBinding } from './terminal-panel-context'
 
 export type TerminalSessionStatus = 'connecting' | 'connected' | 'error' | 'closed'
@@ -164,7 +165,7 @@ export function TerminalSession({
           return
         }
 
-        term.writeln(`\x1b[90mConnecting to ${binding.hostname} as ${binding.username} over SSH...\x1b[0m`)
+        term.writeln(`\x1b[90mConnecting to ${binding.hostname}:${binding.port} as ${binding.username} over SSH...\x1b[0m`)
 
         const result = await createTerminalSession(
           binding.hostId,
@@ -216,6 +217,7 @@ export function TerminalSession({
               type: 'auth',
               token: result.websocketToken,
               password: binding.password,
+              port: binding.port,
             }))
             ws.send(JSON.stringify({ type: 'resize', cols: term.cols, rows: term.rows }))
           }
@@ -228,6 +230,11 @@ export function TerminalSession({
             if (msg.type === 'ssh_connected' || msg.type === 'agent_connected') {
               sshDidConnect = true
               clearTimeout(waitingTimer)
+              try {
+                localStorage.setItem(getTerminalSshPortStorageKey(binding.hostId), String(binding.port))
+              } catch {
+                // localStorage may be unavailable
+              }
               updateStatus('connected')
               term.writeln('\x1b[32mSSH connected. Starting shell...\x1b[0m\r\n')
             } else if (msg.type === 'output' && msg.data) {
diff --git a/apps/web/lib/actions/agent-approval-alert-defaults.test.mjs b/apps/web/lib/actions/agent-approval-alert-defaults.test.mjs
new file mode 100644
index 00000000..7ac4c9c2
--- /dev/null
+++ b/apps/web/lib/actions/agent-approval-alert-defaults.test.mjs
@@ -0,0 +1,30 @@
+import test from 'node:test'
+import assert from 'node:assert/strict'
+import { readFileSync } from 'node:fs'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const here = path.dirname(fileURLToPath(import.meta.url))
+const agentsSource = readFileSync(path.join(here, 'agents-core.ts'), 'utf8')
+const alertsSource = readFileSync(path.join(here, 'alerts.ts'), 'utf8')
+
+test('agent approval does not automatically apply global alert defaults', () => {
+  assert.doesNotMatch(
+    agentsSource,
+    /applyGlobalDefaultsToHost/,
+    'new hosts should only receive global alert defaults when an admin explicitly applies them',
+  )
+})
+
+test('global alert defaults remain explicitly applicable to hosts', () => {
+  assert.match(
+    alertsSource,
+    /export async function replaceHostMetricAlertsWithGlobalDefaults/,
+    'host-level apply action should remain available',
+  )
+  assert.match(
+    alertsSource,
+    /export async function replaceAllHostMetricAlertsWithGlobalDefaults/,
+    'all-host apply action should remain available',
+  )
+})
diff --git a/apps/web/lib/actions/agents-core.ts b/apps/web/lib/actions/agents-core.ts
index f45eedd2..96a65a67 100644
--- a/apps/web/lib/actions/agents-core.ts
+++ b/apps/web/lib/actions/agents-core.ts
@@ -41,7 +41,6 @@ import {
 import { eq, and, isNull, gt, gte, lte, asc, desc, sql, inArray, ilike, or, count } from 'drizzle-orm'
 import type { Agent, AgentEnrolmentToken, Host, HostDockerStatus, HostMetric } from '@/lib/db/schema'
 import { HOST_HIGH_USAGE_THRESHOLD, HOST_STALE_MINUTES } from '@/lib/db/schema/hosts'
-import { applyGlobalDefaultsToHost } from '@/lib/actions/alerts'
 import { escapeLikePattern } from '@/lib/utils'
 import { getInstanceDefaultCollectionSettings } from '@/lib/actions/host-settings'
 import { triggerAgentUninstall, getTaskRun } from '@/lib/actions/task-runs-core'
@@ -185,13 +184,11 @@ export async function approveAgent(
       })
     })
 
-    // Apply defaults to the associated host (best-effort, outside transaction)
+    // Apply host setup defaults and tag policy to the associated host (best-effort, outside transaction)
     const host = await db.query.hosts.findFirst({
       where: and(eq(hosts.agentId, agentId), eq(hosts.instanceId, instanceId), isNull(hosts.deletedAt)),
     })
     if (host) {
-      await applyGlobalDefaultsToHost(instanceId, host.id)
-
       // Apply instance default collection settings + drain any pendingTags the
       // ingest handler stashed at register time. pendingTags already represent
       // the (token → CLI) merge on the ingest side; here we layer instance defaults
diff --git a/apps/web/lib/actions/alerts.ts b/apps/web/lib/actions/alerts.ts
index 010deaac..65ba80e0 100644
--- a/apps/web/lib/actions/alerts.ts
+++ b/apps/web/lib/actions/alerts.ts
@@ -19,7 +19,7 @@ const testNotificationLimiter = createRateLimiter({
 })
 import { db } from '@/lib/db'
 import { alertRules, alertInstances, notificationChannels, alertSilences, hosts } from '@/lib/db/schema'
-import { eq, and, isNull, desc, inArray, sql, lte, gte, count } from 'drizzle-orm'
+import { eq, and, isNull, isNotNull, desc, inArray, sql, lte, gte, count } from 'drizzle-orm'
 import type {
   AlertRule,
   AlertInstance,
@@ -263,33 +263,176 @@ export async function deleteGlobalAlertDefault(
   return { success: true }
 }
 
-export async function applyGlobalDefaultsToHost(
+type MetricDefaultsReplacementResult = {
+  success: true
+  deletedCount: number
+  createdCount: number
+  hostCount: number
+}
+
+function cloneMetricDefaultsForHost(
+  defaults: AlertRule[],
   instanceId: string,
   hostId: string,
-): Promise<void> {
-  await requireInstanceAdminAccess(instanceId)
-  const defaults = await db.query.alertRules.findMany({
-    where: and(
-      eq(alertRules.instanceId, instanceId),
-      isNull(alertRules.deletedAt),
-      eq(alertRules.isGlobalDefault, true),
-    ),
-    orderBy: alertRules.createdAt,
-  })
-  if (defaults.length === 0) return
+) {
+  return defaults.map((rule) => ({
+    instanceId: instanceId,
+    hostId,
+    name: rule.name,
+    conditionType: rule.conditionType,
+    config: rule.config,
+    severity: rule.severity,
+    enabled: rule.enabled,
+    isGlobalDefault: false,
+  }))
+}
 
-  await db.insert(alertRules).values(
-    defaults.map((rule) => ({
-      instanceId: instanceId,
-      hostId,
-      name: rule.name,
-      conditionType: rule.conditionType,
-      config: rule.config,
-      severity: rule.severity,
-      enabled: rule.enabled,
-      isGlobalDefault: false,
-    })),
-  )
+export async function replaceHostMetricAlertsWithGlobalDefaults(
+  hostId: string,
+): Promise<MetricDefaultsReplacementResult | { error: string }> {
+  const instanceId = await resolveCurrentAlertScope()
+  const session = await requireInstanceAdminAccess(instanceId)
+  const parsed = z.string().min(1).safeParse(hostId)
+  if (!parsed.success) return { error: 'Invalid host' }
+
+  try {
+    return await db.transaction(async (tx) => {
+      const now = new Date()
+      const [existingHost] = await tx
+        .select({ id: hosts.id })
+        .from(hosts)
+        .where(and(
+          eq(hosts.id, parsed.data),
+          eq(hosts.instanceId, instanceId),
+          isNull(hosts.deletedAt),
+        ))
+        .for('update')
+        .limit(1)
+
+      if (!existingHost) return { error: 'Host not found' }
+
+      const defaults = await tx.query.alertRules.findMany({
+        where: and(
+          eq(alertRules.instanceId, instanceId),
+          isNull(alertRules.deletedAt),
+          eq(alertRules.isGlobalDefault, true),
+          eq(alertRules.conditionType, 'metric_threshold'),
+        ),
+        orderBy: alertRules.createdAt,
+      })
+
+      const deletedRows = await tx
+        .update(alertRules)
+        .set({ deletedAt: now, updatedAt: now })
+        .where(and(
+          eq(alertRules.instanceId, instanceId),
+          eq(alertRules.hostId, existingHost.id),
+          eq(alertRules.conditionType, 'metric_threshold'),
+          eq(alertRules.isGlobalDefault, false),
+          isNull(alertRules.deletedAt),
+        ))
+        .returning({ id: alertRules.id })
+
+      if (defaults.length > 0) {
+        await tx.insert(alertRules).values(
+          cloneMetricDefaultsForHost(defaults, instanceId, existingHost.id),
+        )
+      }
+
+      await writeAuditEvent(tx, {
+        instanceId: instanceId,
+        actorUserId: session.user.id,
+        action: 'alert_rule.metric_defaults_replaced',
+        targetType: 'host',
+        targetId: existingHost.id,
+        summary: 'Replaced host metric alert rules from global defaults',
+        metadata: {
+          hostId: existingHost.id,
+          deletedCount: deletedRows.length,
+          createdCount: defaults.length,
+        },
+      })
+
+      return {
+        success: true,
+        deletedCount: deletedRows.length,
+        createdCount: defaults.length,
+        hostCount: 1,
+      }
+    })
+  } catch {
+    return { error: 'Failed to replace host metric alerts' }
+  }
+}
+
+export async function replaceAllHostMetricAlertsWithGlobalDefaults(): Promise<
+  MetricDefaultsReplacementResult | { error: string }
+> {
+  const instanceId = await resolveCurrentAlertScope()
+  const session = await requireInstanceAdminAccess(instanceId)
+
+  try {
+    return await db.transaction(async (tx) => {
+      const now = new Date()
+      const defaults = await tx.query.alertRules.findMany({
+        where: and(
+          eq(alertRules.instanceId, instanceId),
+          isNull(alertRules.deletedAt),
+          eq(alertRules.isGlobalDefault, true),
+          eq(alertRules.conditionType, 'metric_threshold'),
+        ),
+        orderBy: alertRules.createdAt,
+      })
+      const hostRows = await tx.query.hosts.findMany({
+        columns: { id: true },
+        where: and(eq(hosts.instanceId, instanceId), isNull(hosts.deletedAt)),
+        orderBy: hosts.createdAt,
+      })
+
+      const deletedRows = await tx
+        .update(alertRules)
+        .set({ deletedAt: now, updatedAt: now })
+        .where(and(
+          eq(alertRules.instanceId, instanceId),
+          isNotNull(alertRules.hostId),
+          eq(alertRules.conditionType, 'metric_threshold'),
+          eq(alertRules.isGlobalDefault, false),
+          isNull(alertRules.deletedAt),
+        ))
+        .returning({ id: alertRules.id })
+
+      if (defaults.length > 0 && hostRows.length > 0) {
+        await tx.insert(alertRules).values(
+          hostRows.flatMap((host) => cloneMetricDefaultsForHost(defaults, instanceId, host.id)),
+        )
+      }
+
+      const createdCount = defaults.length * hostRows.length
+
+      await writeAuditEvent(tx, {
+        instanceId: instanceId,
+        actorUserId: session.user.id,
+        action: 'alert_rule.metric_defaults_replaced_all_hosts',
+        targetType: 'instance',
+        targetId: instanceId,
+        summary: 'Replaced host metric alert rules from global defaults for all hosts',
+        metadata: {
+          deletedCount: deletedRows.length,
+          createdCount,
+          hostCount: hostRows.length,
+        },
+      })
+
+      return {
+        success: true,
+        deletedCount: deletedRows.length,
+        createdCount,
+        hostCount: hostRows.length,
+      }
+    })
+  } catch {
+    return { error: 'Failed to replace host metric alerts' }
+  }
 }
 
 export async function createAlertRule(
diff --git a/apps/web/lib/actions/ldap.ts b/apps/web/lib/actions/ldap.ts
index e832515e..cd5fd1d3 100644
--- a/apps/web/lib/actions/ldap.ts
+++ b/apps/web/lib/actions/ldap.ts
@@ -22,6 +22,11 @@ import type { LdapUser, LdapUserDetail } from '@/lib/ldap/client'
 
 export type { LdapConfigurationSafe } from '@/lib/ldap/config-client'
 
+const AD_DEFAULT_USER_SEARCH_FILTER = '(sAMAccountName={{username}})'
+const AD_DEFAULT_USERNAME_ATTRIBUTE = 'sAMAccountName'
+const AD_DEFAULT_EMAIL_ATTRIBUTE = 'mail'
+const AD_DEFAULT_DISPLAY_NAME_ATTRIBUTE = 'displayName'
+
 async function getInstanceInstanceId(): Promise<string> {
   const instanceId = await getDefaultInstanceId()
   if (!instanceId) {
@@ -53,12 +58,12 @@ const createLdapConfigSchema = z.object({
   bindDn: z.string().min(1, 'Bind DN is required'),
   bindPassword: z.string().min(1, 'Bind password is required'),
   userSearchBase: z.string().optional(),
-  userSearchFilter: z.string().default('(uid={{username}})'),
+  userSearchFilter: z.string().default(AD_DEFAULT_USER_SEARCH_FILTER),
   groupSearchBase: z.string().optional(),
   groupSearchFilter: z.string().optional(),
-  usernameAttribute: z.string().default('uid'),
-  emailAttribute: z.string().default('mail'),
-  displayNameAttribute: z.string().default('cn'),
+  usernameAttribute: z.string().default(AD_DEFAULT_USERNAME_ATTRIBUTE),
+  emailAttribute: z.string().default(AD_DEFAULT_EMAIL_ATTRIBUTE),
+  displayNameAttribute: z.string().default(AD_DEFAULT_DISPLAY_NAME_ATTRIBUTE),
   allowLogin: z.boolean().default(false),
 })
 
diff --git a/apps/web/lib/actions/mutation-authz.test.mjs b/apps/web/lib/actions/mutation-authz.test.mjs
index 3ba73a69..45546cad 100644
--- a/apps/web/lib/actions/mutation-authz.test.mjs
+++ b/apps/web/lib/actions/mutation-authz.test.mjs
@@ -54,7 +54,8 @@ const writeGuardedActions = [
 const adminGuardedActions = [
   ['alerts.ts', 'createGlobalAlertDefault'],
   ['alerts.ts', 'deleteGlobalAlertDefault'],
-  ['alerts.ts', 'applyGlobalDefaultsToHost'],
+  ['alerts.ts', 'replaceHostMetricAlertsWithGlobalDefaults'],
+  ['alerts.ts', 'replaceAllHostMetricAlertsWithGlobalDefaults'],
   ['automation.ts', 'updateAnsibleAutomationSettings'],
   ['automation.ts', 'createAnsibleCredentialProfile'],
   ['automation.ts', 'deleteAnsibleCredentialProfile'],
diff --git a/apps/web/lib/terminal/ssh-port.test.mjs b/apps/web/lib/terminal/ssh-port.test.mjs
new file mode 100644
index 00000000..0af22bea
--- /dev/null
+++ b/apps/web/lib/terminal/ssh-port.test.mjs
@@ -0,0 +1,35 @@
+import assert from 'node:assert/strict'
+import test from 'node:test'
+
+import {
+  DEFAULT_TERMINAL_SSH_PORT,
+  getTerminalSshPortStorageKey,
+  normaliseTerminalSshPort,
+  parseTerminalSshPort,
+} from './ssh-port.ts'
+
+test('parseTerminalSshPort accepts a custom SSH port', () => {
+  assert.deepEqual(parseTerminalSshPort('2222'), { ok: true, port: 2222 })
+})
+
+test('parseTerminalSshPort rejects missing or out-of-range ports', () => {
+  assert.deepEqual(parseTerminalSshPort(''), { ok: false, error: 'SSH port is required' })
+  assert.deepEqual(parseTerminalSshPort('0'), { ok: false, error: 'SSH port must be between 1 and 65535' })
+  assert.deepEqual(parseTerminalSshPort('65536'), { ok: false, error: 'SSH port must be between 1 and 65535' })
+})
+
+test('parseTerminalSshPort rejects non-integer ports', () => {
+  assert.deepEqual(parseTerminalSshPort('22.5'), { ok: false, error: 'SSH port must be a whole number' })
+  assert.deepEqual(parseTerminalSshPort('abc'), { ok: false, error: 'SSH port must be a whole number' })
+})
+
+test('normaliseTerminalSshPort defaults missing or stale values to 22', () => {
+  assert.equal(normaliseTerminalSshPort(undefined), DEFAULT_TERMINAL_SSH_PORT)
+  assert.equal(normaliseTerminalSshPort(null), DEFAULT_TERMINAL_SSH_PORT)
+  assert.equal(normaliseTerminalSshPort(2222), 2222)
+  assert.equal(normaliseTerminalSshPort(65536), DEFAULT_TERMINAL_SSH_PORT)
+})
+
+test('getTerminalSshPortStorageKey scopes the saved port to a host', () => {
+  assert.equal(getTerminalSshPortStorageKey('host-1'), 'terminal-ssh-port:host-1')
+})
diff --git a/apps/web/lib/terminal/ssh-port.ts b/apps/web/lib/terminal/ssh-port.ts
new file mode 100644
index 00000000..a0da9f18
--- /dev/null
+++ b/apps/web/lib/terminal/ssh-port.ts
@@ -0,0 +1,43 @@
+export const DEFAULT_TERMINAL_SSH_PORT = 22
+export const MIN_TERMINAL_SSH_PORT = 1
+export const MAX_TERMINAL_SSH_PORT = 65535
+
+export type TerminalSshPortParseResult =
+  | { ok: true; port: number }
+  | { ok: false; error: string }
+
+export function parseTerminalSshPort(input: string): TerminalSshPortParseResult {
+  const trimmed = input.trim()
+  if (!trimmed) {
+    return { ok: false, error: 'SSH port is required' }
+  }
+  if (!/^[0-9]+$/.test(trimmed)) {
+    return { ok: false, error: 'SSH port must be a whole number' }
+  }
+
+  const port = Number(trimmed)
+  if (!Number.isSafeInteger(port) || port < MIN_TERMINAL_SSH_PORT || port > MAX_TERMINAL_SSH_PORT) {
+    return { ok: false, error: 'SSH port must be between 1 and 65535' }
+  }
+
+  return { ok: true, port }
+}
+
+export function normaliseTerminalSshPort(value: unknown): number {
+  if (typeof value === 'number' && Number.isSafeInteger(value)) {
+    return value >= MIN_TERMINAL_SSH_PORT && value <= MAX_TERMINAL_SSH_PORT
+      ? value
+      : DEFAULT_TERMINAL_SSH_PORT
+  }
+
+  if (typeof value === 'string') {
+    const parsed = parseTerminalSshPort(value)
+    return parsed.ok ? parsed.port : DEFAULT_TERMINAL_SSH_PORT
+  }
+
+  return DEFAULT_TERMINAL_SSH_PORT
+}
+
+export function getTerminalSshPortStorageKey(hostId: string): string {
+  return `terminal-ssh-port:${hostId}`
+}
diff --git a/apps/web/tests/e2e/alerts/metric-default-replacement.spec.ts b/apps/web/tests/e2e/alerts/metric-default-replacement.spec.ts
new file mode 100644
index 00000000..62347138
--- /dev/null
+++ b/apps/web/tests/e2e/alerts/metric-default-replacement.spec.ts
@@ -0,0 +1,250 @@
+import { test, expect } from '../fixtures/test'
+import { getTestDb } from '../fixtures/db'
+import { TEST_INSTANCE } from '../fixtures/seed'
+
+async function getInstanceId(sql: ReturnType<typeof getTestDb>): Promise<string> {
+  const rows = await sql<Array<{ id: string }>>`
+    SELECT id
+    FROM instance_settings
+    WHERE slug = ${TEST_INSTANCE.slug}
+    LIMIT 1
+  `
+
+  expect(rows).toHaveLength(1)
+  return rows[0]!.id
+}
+
+async function seedHostsAndAlerts(sql: ReturnType<typeof getTestDb>, instanceId: string) {
+  await sql`
+    INSERT INTO hosts (
+      id,
+      instance_id,
+      hostname,
+      display_name,
+      os,
+      arch,
+      ip_addresses,
+      status
+    )
+    VALUES
+      (
+        'metric-default-host-a',
+        ${instanceId},
+        'metric-default-a',
+        'Metric Default A',
+        'Ubuntu 24.04',
+        'x86_64',
+        '["10.20.0.10"]'::jsonb,
+        'online'
+      ),
+      (
+        'metric-default-host-b',
+        ${instanceId},
+        'metric-default-b',
+        'Metric Default B',
+        'Ubuntu 24.04',
+        'x86_64',
+        '["10.20.0.11"]'::jsonb,
+        'online'
+      )
+  `
+
+  await sql`
+    INSERT INTO alert_rules (
+      id,
+      instance_id,
+      host_id,
+      name,
+      condition_type,
+      config,
+      severity,
+      is_global_default
+    )
+    VALUES
+      (
+        'metric-default-global-cpu',
+        ${instanceId},
+        NULL,
+        'Default CPU',
+        'metric_threshold',
+        '{"metric":"cpu","operator":"gt","threshold":82}'::jsonb,
+        'warning',
+        true
+      ),
+      (
+        'metric-default-global-memory',
+        ${instanceId},
+        NULL,
+        'Default Memory',
+        'metric_threshold',
+        '{"metric":"memory","operator":"gt","threshold":88}'::jsonb,
+        'critical',
+        true
+      ),
+      (
+        'metric-default-host-a-old-metric',
+        ${instanceId},
+        'metric-default-host-a',
+        'Old Host A CPU',
+        'metric_threshold',
+        '{"metric":"cpu","operator":"gt","threshold":95}'::jsonb,
+        'critical',
+        false
+      ),
+      (
+        'metric-default-host-a-check',
+        ${instanceId},
+        'metric-default-host-a',
+        'Host A Check',
+        'check_status',
+        '{"checkId":"check-a","failureThreshold":3}'::jsonb,
+        'warning',
+        false
+      ),
+      (
+        'metric-default-host-b-old-metric',
+        ${instanceId},
+        'metric-default-host-b',
+        'Old Host B Disk',
+        'metric_threshold',
+        '{"metric":"disk","operator":"gt","threshold":91}'::jsonb,
+        'warning',
+        false
+      ),
+      (
+        'metric-default-host-b-docker',
+        ${instanceId},
+        'metric-default-host-b',
+        'Host B Docker',
+        'docker_container',
+        '{"rule":"restart_loop","windowMinutes":10,"threshold":3,"sampleThreshold":3}'::jsonb,
+        'warning',
+        false
+      )
+  `
+}
+
+test('admin can replace one host metric alerts with global metric defaults', async ({ authenticatedPage: page }) => {
+  const sql = getTestDb()
+  const instanceId = await getInstanceId(sql)
+  await seedHostsAndAlerts(sql, instanceId)
+
+  await page.goto('/hosts/metric-default-host-a')
+  await page.getByTestId('host-parent-tab-monitoring').click()
+  await page.getByTestId('host-tab-alerts').click()
+  await expect(page.getByTestId('host-alert-rules-card')).toBeVisible()
+  await expect(page.getByText('Old Host A CPU')).toBeVisible({ timeout: 30_000 })
+  await expect(page.getByText('Default CPU')).toBeVisible({ timeout: 30_000 })
+  await expect(page.getByTestId('host-alert-rules-card')).not.toContainText('Default CPU')
+
+  await page.getByTestId('host-alerts-replace-metrics-with-defaults').click()
+
+  await expect
+    .poll(async () => {
+      const rows = await sql<Array<{
+        active_a_defaults: number
+        active_a_check: number
+        deleted_a_old_metric: number
+        active_b_old_metric: number
+      }>>`
+        SELECT
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE instance_id = ${instanceId}
+              AND host_id = 'metric-default-host-a'
+              AND condition_type = 'metric_threshold'
+              AND deleted_at IS NULL
+              AND is_global_default = false
+              AND name IN ('Default CPU', 'Default Memory')
+          ) AS active_a_defaults,
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE id = 'metric-default-host-a-check'
+              AND deleted_at IS NULL
+          ) AS active_a_check,
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE id = 'metric-default-host-a-old-metric'
+              AND deleted_at IS NOT NULL
+          ) AS deleted_a_old_metric,
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE id = 'metric-default-host-b-old-metric'
+              AND deleted_at IS NULL
+          ) AS active_b_old_metric
+      `
+
+      return rows[0] ?? null
+    }, { timeout: 30_000 })
+    .toEqual({
+      active_a_defaults: 2,
+      active_a_check: 1,
+      deleted_a_old_metric: 1,
+      active_b_old_metric: 1,
+    })
+})
+
+test('admin can replace all host metric alerts with global metric defaults', async ({ authenticatedPage: page }) => {
+  const sql = getTestDb()
+  const instanceId = await getInstanceId(sql)
+  await seedHostsAndAlerts(sql, instanceId)
+
+  await page.goto('/settings/monitoring')
+  await expect(page.getByTestId('settings-alert-defaults-heading')).toBeVisible()
+  await expect(page.getByText('Default CPU')).toBeVisible({ timeout: 30_000 })
+
+  await page.getByTestId('settings-alert-defaults-replace-all-host-metrics').click()
+
+  await expect
+    .poll(async () => {
+      const rows = await sql<Array<{
+        active_host_defaults: number
+        deleted_old_metrics: number
+        active_non_metric: number
+        active_global_defaults: number
+      }>>`
+        SELECT
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE instance_id = ${instanceId}
+              AND host_id IN ('metric-default-host-a', 'metric-default-host-b')
+              AND condition_type = 'metric_threshold'
+              AND deleted_at IS NULL
+              AND is_global_default = false
+              AND name IN ('Default CPU', 'Default Memory')
+          ) AS active_host_defaults,
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE id IN ('metric-default-host-a-old-metric', 'metric-default-host-b-old-metric')
+              AND deleted_at IS NOT NULL
+          ) AS deleted_old_metrics,
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE id IN ('metric-default-host-a-check', 'metric-default-host-b-docker')
+              AND deleted_at IS NULL
+          ) AS active_non_metric,
+          (
+            SELECT COUNT(*)::int
+            FROM alert_rules
+            WHERE id IN ('metric-default-global-cpu', 'metric-default-global-memory')
+              AND deleted_at IS NULL
+              AND is_global_default = true
+          ) AS active_global_defaults
+      `
+
+      return rows[0] ?? null
+    }, { timeout: 30_000 })
+    .toEqual({
+      active_host_defaults: 4,
+      deleted_old_metrics: 2,
+      active_non_metric: 2,
+      active_global_defaults: 2,
+    })
+})
diff --git a/apps/web/tests/e2e/settings/ldap.spec.ts b/apps/web/tests/e2e/settings/ldap.spec.ts
index 8f09cfee..47bed3b5 100644
--- a/apps/web/tests/e2e/settings/ldap.spec.ts
+++ b/apps/web/tests/e2e/settings/ldap.spec.ts
@@ -20,11 +20,19 @@ test('admin can create, edit, toggle, and delete an LDAP configuration', async (
   await expect(page.getByTestId('ldap-settings-empty-state')).toBeVisible()
 
   await page.getByTestId('ldap-settings-add-open').click()
+  await expect(page.getByTestId('ldap-settings-add-host')).toHaveAttribute('placeholder', 'dc01.corp.example.com')
+  await expect(page.getByTestId('ldap-settings-add-base-dn')).toHaveAttribute('placeholder', 'DC=corp,DC=example,DC=com')
+  await expect(page.getByTestId('ldap-settings-add-bind-dn')).toHaveAttribute('placeholder', 'CN=svc-ldap,OU=Service Accounts,DC=corp,DC=example,DC=com')
   await page.getByTestId('ldap-settings-add-name').fill('Corporate AD')
   await page.getByTestId('ldap-settings-add-host').fill('ldap.internal.example')
-  await page.getByTestId('ldap-settings-add-base-dn').fill('dc=internal,dc=example')
-  await page.getByTestId('ldap-settings-add-bind-dn').fill('cn=svc-ldap,dc=internal,dc=example')
+  await page.getByTestId('ldap-settings-add-base-dn').fill('DC=internal,DC=example')
+  await page.getByTestId('ldap-settings-add-bind-dn').fill('CN=svc-ldap,DC=internal,DC=example')
   await page.getByTestId('ldap-settings-add-bind-password').fill('SuperSecret123!')
+  await expect(page.getByTestId('ldap-settings-add-user-filter')).toHaveValue('(sAMAccountName={{username}})')
+  await expect(page.getByTestId('ldap-settings-add-username-attribute')).toHaveValue('sAMAccountName')
+  await page.getByTestId('ldap-settings-add-user-search-base').fill('ou=Staff')
+  await page.getByTestId('ldap-settings-add-group-search-base').fill('ou=Security Groups')
+  await page.getByTestId('ldap-settings-add-group-filter').fill('(objectClass=group)')
   await page.getByTestId('ldap-settings-add-submit').click()
   await expect(page.getByText('Corporate AD')).toBeVisible()
 
@@ -32,11 +40,31 @@ test('admin can create, edit, toggle, and delete an LDAP configuration', async (
     id: string
     host: string
     port: number
+    user_search_base: string | null
+    user_search_filter: string
+    group_search_base: string | null
+    group_search_filter: string | null
+    username_attribute: string
+    email_attribute: string
+    display_name_attribute: string
     allow_login: boolean
     enabled: boolean
     deleted_at: string | null
   }>>`
-    SELECT id, host, port, allow_login, enabled, deleted_at
+    SELECT
+      id,
+      host,
+      port,
+      user_search_base,
+      user_search_filter,
+      group_search_base,
+      group_search_filter,
+      username_attribute,
+      email_attribute,
+      display_name_attribute,
+      allow_login,
+      enabled,
+      deleted_at
     FROM ldap_configurations
     WHERE instance_id = ${instanceId}
       AND name = 'Corporate AD'
@@ -46,6 +74,13 @@ test('admin can create, edit, toggle, and delete an LDAP configuration', async (
   expect(createdRows).toHaveLength(1)
   expect(createdRows[0]?.host).toBe('ldap.internal.example')
   expect(createdRows[0]?.port).toBe(389)
+  expect(createdRows[0]?.user_search_base).toBe('ou=Staff')
+  expect(createdRows[0]?.user_search_filter).toBe('(sAMAccountName={{username}})')
+  expect(createdRows[0]?.group_search_base).toBe('ou=Security Groups')
+  expect(createdRows[0]?.group_search_filter).toBe('(objectClass=group)')
+  expect(createdRows[0]?.username_attribute).toBe('sAMAccountName')
+  expect(createdRows[0]?.email_attribute).toBe('mail')
+  expect(createdRows[0]?.display_name_attribute).toBe('displayName')
   expect(createdRows[0]?.allow_login).toBe(false)
   expect(createdRows[0]?.enabled).toBe(true)
   expect(createdRows[0]?.deleted_at).toBeNull()