diff --git a/llm_team_ui.py b/llm_team_ui.py
index a93f5c2..1490728 100644
--- a/llm_team_ui.py
+++ b/llm_team_ui.py
@@ -126,19 +126,48 @@ def login_required(f):
     return decorated
 
 
+# Pages/APIs that require showcase mode (blocked in basic demo)
+SHOWCASE_ONLY_ROUTES = {
+    "/logs", "/admin/monitor", "/history",
+    "/api/admin/logs", "/api/admin/monitor", "/api/admin/sentinel",
+    "/api/admin/security", "/api/admin/security/enrich", "/api/admin/wall-of-shame",
+    "/api/meta-pipelines", "/api/self-reports", "/api/self-analyze",
+    "/api/runs/vectors", "/api/runs/tags",
+}
+
+
 def admin_required(f):
     @wraps(f)
     def decorated(*args, **kwargs):
-        # Demo/showcase mode: full read access to everything
         if is_demo():
+            path = request.path
+            is_showcase = _demo_mode.get("showcase", False)
+
+            # Demo mode (not showcase): only allow admin page itself (GET) for browsing
+            # Block deeper pages like logs, monitor, history
+            if not is_showcase:
+                # Check if this route needs showcase
+                for route in SHOWCASE_ONLY_ROUTES:
+                    if path == route or path.startswith(route + "/"):
+                        if not is_admin():
+                            if path.startswith("/api/"):
+                                return jsonify({"error": "showcase mode required", "demo": True}), 403
+                            return redirect("/")
+                        break
+
+            # GET requests: allow (admin page view in demo, everything in showcase)
             if request.method == "GET":
                 return f(*args, **kwargs)
-            # Allow specific read-like POSTs (enrichment, self-analysis, team runs)
-            if request.path in DEMO_ALLOWED_POSTS:
+
+            # POSTs: allow read-like actions
+            if path in DEMO_ALLOWED_POSTS:
                 return f(*args, **kwargs)
-            # Block destructive writes
+
+            # Block destructive writes for non-admins
             if not is_admin():
                 return jsonify({"error": "demo mode: read-only", "demo": True}), 403
+
+        # Normal auth: require login + admin role
         if not session.get("user_id"):
             if request.path.startswith("/api/"):
                 return jsonify({"error": "unauthorized"}), 401
@@ -3017,8 +3046,8 @@ ADMIN_HTML = r"""
           <button class="btn btn-r" onclick="setDemoMode('off')">Off</button>
         </div>
       </h3>
-      <p style="font-size:12px;color:var(--text2);margin-bottom:6px"><strong>Demo</strong> — public can use Team UI and run modes. No admin access.</p>
-      <p style="font-size:12px;color:var(--text2);margin-bottom:10px"><strong>Showcase</strong> — full read-only access to everything: Admin, Monitor, Logs, Threat Intel, Lab, History. Cannot change settings or delete data.</p>
+      <p style="font-size:12px;color:var(--text2);margin-bottom:6px"><strong>Demo</strong> — public can use Team UI, run modes, and browse the Admin panel. Cannot access Logs, Monitor, History, or deep admin features.</p>
+      <p style="font-size:12px;color:var(--text2);margin-bottom:10px"><strong>Showcase</strong> — full read-only access to everything: Admin, Monitor, Logs, Threat Intel, Lab, History. Can run enrichments and self-analysis. Cannot change settings or delete data. Use this for client demos.</p>
       <div id="demo-status-admin" style="font-size:13px">Status: <strong style="color:var(--text2)">Off</strong></div>
     </div>
     <div class="card">