diff --git a/main.go b/main.go
index b4b2f80..ddb6355 100644
--- a/main.go
+++ b/main.go
@@ -48,18 +48,110 @@ func main() {
 
 func index(w http.ResponseWriter, _ *http.Request) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	jwtLib := "unknown"
+	if bi, ok := debug.ReadBuildInfo(); ok {
+		for _, d := range bi.Deps {
+			if d.Path == "github.com/dgrijalva/jwt-go" || d.Path == "github.com/golang-jwt/jwt/v5" {
+				jwtLib = d.Path + "@" + d.Version
+				break
+			}
+		}
+	}
+	vulnerable := jwtLib == "github.com/dgrijalva/jwt-go@v3.2.0+incompatible"
+	pillClass := "pill-good"
+	pillText := "patched"
+	if vulnerable {
+		pillClass = "pill-bad"
+		pillText = "vulnerable"
+	}
 	fmt.Fprintf(w, `<!doctype html>
-<html><head><title>demo-secure</title></head>
-<body style="font-family:sans-serif;max-width:40em;margin:3em auto">
-<h1>demo-secure</h1>
-<p>A minimal Go service used to demonstrate the RHADS supply chain:
-RHDH onboarding &rarr; RHTAS signing &rarr; RHTPA scanning &rarr; patch.</p>
-<ul>
-  <li><a href="/version">/version</a> &mdash; dependency info</li>
-  <li><a href="/healthz">/healthz</a> &mdash; liveness</li>
-  <li><code>POST /verify</code> with a Bearer token &mdash; exercises the JWT library</li>
-</ul>
-</body></html>`)
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1">
+<title>demo-secure &middot; RHADS supply-chain demo</title>
+<style>
+  :root {
+    --bg: #0f1115; --panel: #1a1d24; --line: #2a2f3a;
+    --fg: #e6e8eb; --muted: #9aa3ad; --accent: #ee0000;
+    --good: #2ecc71; --bad: #e74c3c;
+  }
+  * { box-sizing: border-box }
+  body {
+    margin: 0; background: var(--bg); color: var(--fg);
+    font-family: ui-sans-serif, system-ui, -apple-system, "Segoe UI", sans-serif;
+    line-height: 1.5;
+  }
+  .wrap { max-width: 56rem; margin: 0 auto; padding: 3rem 1.25rem 4rem }
+  header { border-bottom: 1px solid var(--line); padding-bottom: 1.25rem; margin-bottom: 1.75rem }
+  .brand { display: flex; align-items: baseline; gap: .75rem }
+  h1 { margin: 0; font-size: 2rem; letter-spacing: -.02em }
+  .brand .accent { color: var(--accent); font-weight: 700 }
+  .lede { color: var(--muted); margin: .5rem 0 0 }
+  .pills { display: flex; gap: .5rem; flex-wrap: wrap; margin: 1rem 0 0 }
+  .pill {
+    font-size: .75rem; text-transform: uppercase; letter-spacing: .08em;
+    padding: .2rem .55rem; border-radius: 999px; border: 1px solid var(--line);
+    background: var(--panel); color: var(--muted);
+  }
+  .pill-good { color: #0b1; border-color: rgba(46,204,113,.4); background: rgba(46,204,113,.08) }
+  .pill-bad  { color: #e85; border-color: rgba(231,76,60,.4); background: rgba(231,76,60,.10) }
+  .grid { display: grid; gap: 1rem; grid-template-columns: repeat(auto-fit, minmax(16rem,1fr)) }
+  .card {
+    background: var(--panel); border: 1px solid var(--line); border-radius: .6rem;
+    padding: 1.1rem 1.2rem;
+  }
+  .card h2 { margin: 0 0 .35rem; font-size: 1.05rem; letter-spacing: -.01em }
+  .card p  { margin: 0; color: var(--muted); font-size: .95rem }
+  .card a { color: var(--fg); text-decoration: none; border-bottom: 1px dotted var(--muted) }
+  .card a:hover { border-bottom-color: var(--accent); color: #fff }
+  .code {
+    font-family: ui-monospace, "JetBrains Mono", Menlo, monospace;
+    background: #0a0c10; border: 1px solid var(--line); border-radius: .35rem;
+    padding: .15rem .45rem; font-size: .85em;
+  }
+  footer { color: var(--muted); font-size: .85rem; margin-top: 2rem; text-align: center }
+  .dep { margin-top: 1rem; font-size: .9rem; color: var(--muted) }
+  .dep strong { color: var(--fg) }
+</style>
+</head>
+<body>
+<div class="wrap">
+  <header>
+    <div class="brand">
+      <h1>demo-<span class="accent">secure</span></h1>
+      <span class="pill">go service</span>
+    </div>
+    <p class="lede">A minimal HTTP service threaded through the Red Hat Advanced Developer Suite: RHDH golden-path scaffolding &rarr; Tekton build &rarr; RHTAS keyless signing &rarr; RHTPA SBOM scanning.</p>
+    <div class="pills">
+      <span class="pill pill-good">image signed (cosign + Fulcio)</span>
+      <span class="pill pill-good">SBOM attested (CycloneDX)</span>
+      <span class="pill %s">jwt-go %s</span>
+    </div>
+    <p class="dep">Active JWT library: <span class="code">%s</span></p>
+  </header>
+
+  <section class="grid">
+    <div class="card">
+      <h2><a href="/version">GET /version</a></h2>
+      <p>Build info plus the full dependency tree. Proves at runtime which jwt-go version is shipped.</p>
+    </div>
+    <div class="card">
+      <h2><a href="/healthz">GET /healthz</a></h2>
+      <p>Liveness probe endpoint. Returns 200 OK while the process is up.</p>
+    </div>
+    <div class="card">
+      <h2><span class="code">POST /verify</span></h2>
+      <p>Send <span class="code">Authorization: Bearer &lt;jwt&gt;</span> to exercise the JWT library &mdash; this is the call path RHTPA sees as in-use.</p>
+    </div>
+  </section>
+
+  <footer>
+    Built and signed in the Hibachi Ninja lab. Verify with <span class="code">scripts/show-signature.sh</span> on the bootstrap repo.
+  </footer>
+</div>
+</body>
+</html>`, pillClass, pillText, jwtLib)
 }
 
 func version(w http.ResponseWriter, _ *http.Request) {