Freshly-authored HTML form at /api/v2/sql-demo/ — same vulnerability surface, modernized layout (system fonts, focus rings, dark-mode), a vulnerable/safe mode toggle, four quick-payload buttons (legit + classic injection + two UNION attacks that hit the role-lockdown wall), and an audit-aware footer linking straight to the trail. Sign-in still required; every attempt still audited as tier=enhanced.