diff --git a/src/gallery.el b/src/gallery.el
index 01528df..3ad5b4b 100644
--- a/src/gallery.el
+++ b/src/gallery.el
@@ -271,7 +271,113 @@ window.NEURON_CFG=window.NEURON_CFG||{};
 window.NEURON_CFG.supabase_url=\"" + supabase_url + "\";
 window.NEURON_CFG.supabase_anon_key=\"" + supabase_anon_key + "\";
 </script>
-<script src=\"/assets/js/d8251f5e5aa1.js\" defer></script>
+<script>
+(function(){
+  var cfg=window.NEURON_CFG||{};
+  var sbUrl=cfg.supabase_url,sbKey=cfg.supabase_anon_key;
+  if(!sbUrl||!sbKey)return;
+  var sb=window.supabase.createClient(sbUrl,sbKey);
+  var token=null;
+  var votes={};
+
+  function getCtrl(sid){
+    var found=null;
+    document.querySelectorAll('.vote-controls').forEach(function(c){
+      if(c.getAttribute('data-share-id')===sid)found=c;
+    });
+    return found;
+  }
+
+  function applyState(ctrl,state){
+    var sid=ctrl.getAttribute('data-share-id');
+    votes[sid]=state.user_vote||'none';
+    var scoreEl=ctrl.querySelector('.vote-score');
+    if(scoreEl&&state.score!=null)scoreEl.textContent=state.score;
+    var upBtn=ctrl.querySelector('.vote-btn.vote-up');
+    var dnBtn=ctrl.querySelector('.vote-btn.vote-down');
+    if(upBtn){upBtn.disabled=false;upBtn.classList.toggle('is-active',state.user_vote==='up');}
+    if(dnBtn){dnBtn.disabled=false;dnBtn.classList.toggle('is-active',state.user_vote==='down');}
+  }
+
+  function loadVoteState(sid){
+    var url='/api/vote-state/'+sid;
+    if(token)url+='?access_token='+encodeURIComponent(token);
+    fetch(url).then(function(r){return r.json();}).then(function(d){
+      var ctrl=getCtrl(sid);
+      if(ctrl)applyState(ctrl,d);
+    }).catch(function(){});
+  }
+
+  function loadAll(){
+    document.querySelectorAll('.vote-controls').forEach(function(ctrl){
+      var id=ctrl.getAttribute('data-share-id');
+      if(id)loadVoteState(id);
+    });
+  }
+
+  function castVote(sid,direction){
+    if(!token){showSignIn();return;}
+    var ctrl=getCtrl(sid);
+    var btns=ctrl?ctrl.querySelectorAll('.vote-btn'):[];
+    btns.forEach(function(b){b.disabled=true;b.classList.add('is-loading');});
+    fetch('/api/vote',{
+      method:'POST',
+      headers:{'Content-Type':'application/json'},
+      body:JSON.stringify({access_token:token,id:sid,direction:direction})
+    }).then(function(r){return r.json();}).then(function(d){
+      if(ctrl&&d.ok)applyState(ctrl,d);
+      btns.forEach(function(b){b.disabled=false;b.classList.remove('is-loading');});
+    }).catch(function(){
+      btns.forEach(function(b){b.disabled=false;b.classList.remove('is-loading');});
+    });
+  }
+
+  document.querySelectorAll('.vote-controls').forEach(function(ctrl){
+    ctrl.querySelectorAll('.vote-btn').forEach(function(btn){
+      btn.addEventListener('click',function(){
+        var sid=ctrl.getAttribute('data-share-id');
+        if(!token){showSignIn();return;}
+        var dir=btn.getAttribute('data-direction');
+        var cur=votes[sid]||'none';
+        castVote(sid,cur===dir?'none':dir);
+      });
+    });
+  });
+
+  var modal=document.getElementById('signin-modal');
+  var cancelEl=document.getElementById('signin-cancel');
+  var sendEl=document.getElementById('signin-send');
+  var emailEl=document.getElementById('signin-email');
+  var msgEl=document.getElementById('signin-msg');
+
+  function showSignIn(){if(modal)modal.classList.add('open');if(emailEl)emailEl.focus();}
+
+  if(cancelEl)cancelEl.addEventListener('click',function(){modal.classList.remove('open');});
+  if(modal)modal.addEventListener('click',function(e){if(e.target===modal)modal.classList.remove('open');});
+  if(sendEl)sendEl.addEventListener('click',function(){
+    var email=emailEl?emailEl.value.trim():'';
+    if(!email){if(msgEl)msgEl.textContent='Please enter your email.';return;}
+    sendEl.disabled=true;
+    if(msgEl)msgEl.textContent='Sending...';
+    sb.auth.signInWithOtp({email:email,options:{emailRedirectTo:window.location.href}}).then(function(r){
+      sendEl.disabled=false;
+      if(msgEl)msgEl.textContent=r.error?(r.error.message||'Error. Try again.'):'Check your email for a sign-in link.';
+    });
+  });
+  if(emailEl)emailEl.addEventListener('keydown',function(e){if(e.key==='Enter'&&sendEl)sendEl.click();});
+
+  sb.auth.onAuthStateChange(function(event,session){
+    token=session?session.access_token:null;
+    if(token&&modal)modal.classList.remove('open');
+    loadAll();
+  });
+
+  sb.auth.getSession().then(function(r){
+    token=r.data&&r.data.session?r.data.session.access_token:null;
+    loadAll();
+  });
+})();
+</script>
 <script src=\"/assets/js/cd30551e3c3b.js\" defer></script>
 </body>
 </html>"
diff --git a/src/main.el b/src/main.el
index ac0e8d0..2a4c0c4 100644
--- a/src/main.el
+++ b/src/main.el
@@ -1448,11 +1448,17 @@ fn handle_request(method: String, path: String, body: String) -> String {
             let del_url: String = v_sb_url + "/rest/v1/share_votes?share_id=eq." + v_id + "&user_id=eq." + v_uid
             let _del_resp: String = http_delete_auth(del_url, v_jwt, v_anon)
         } else {
-            // up/down - upsert. PostgREST resolves on the (share_id, user_id) PK
-            // when on_conflict matches. The trigger fires on insert and update.
+            // up/down — delete any existing vote first (idempotent), then insert fresh.
+            // Upsert via user JWT requires both INSERT + UPDATE RLS policies; the
+            // UPDATE policy is often absent. Delete-then-insert is more reliable:
+            // user JWT covers the DELETE (auth.uid()=user_id RLS passes),
+            // service key covers the INSERT (bypasses RLS; user identity already
+            // validated above via supabase_auth_user). The recalc trigger fires on
+            // both operations and keeps share_cards.score accurate.
+            let del_url: String = v_sb_url + "/rest/v1/share_votes?share_id=eq." + v_id + "&user_id=eq." + v_uid
+            let _del_r: String = http_delete_auth(del_url, v_jwt, v_anon)
             let row: String = "{\"share_id\":\"" + v_id + "\",\"user_id\":\"" + v_uid + "\",\"direction\":\"" + v_dir + "\"}"
-            let up_path: String = "share_votes?on_conflict=share_id,user_id"
-            let _up_resp: String = supabase_upsert_user(v_sb_url, v_anon, v_jwt, up_path, row)
+            let _ins_r: String = supabase_insert(v_sb_url, v_service, "share_votes", row)
         }
         // Re-fetch fresh aggregate from share_cards (service key - public read).
         // PostgREST returns a JSON array; use json_array_get(0) then json_get.