diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0dba5fe..ff70d2f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,18 @@ All notable changes to RustChan will be documented in this file.
 ---
 ## [1.1.0]
 
+## 🌐 New: ChanNet API (Port 7070)
+
+RustChan can now talk to other RustChans. Introducing the **ChanNet API** — a two-layer federation and gateway system living entirely on port 7070.
+
+**Layer 1 — Federation** (`/chan/export`, `/chan/import`, `/chan/refresh`, `/chan/poll`): nodes sync with each other via ZIP snapshots. Push your posts out, pull theirs in, keep your mirror fresh.
+
+**Layer 2 — RustWave Gateway** (`/chan/command`): the [RustWave](https://github.com/a2kiti/rustwave) audio transport client gets its own command interface. Send a typed JSON command, get a ZIP back. Supported commands: `full_export`, `board_export`, `thread_export`, `archive_export`, `force_refresh`, and `reply_push` (the only one that actually writes anything).
+
+Text only — no images, no media, no binary data cross this interface by design. Full schema docs in `channet_api_reference.docx`.
+
+---
+
 ## Architecture Refactor
 
 This release restructures the codebase for maintainability. No user-facing
diff --git a/Cargo.lock b/Cargo.lock
index 3990ff7..b91e553 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1756,6 +1756,7 @@ dependencies = [
  "serde",
  "serde_json",
  "sha2",
+ "subtle",
  "tempfile",
  "thiserror",
  "time",
diff --git a/Cargo.toml b/Cargo.toml
index b39eb0c..23fa9b4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,8 +48,9 @@ serde_json = "1"
 # toml 1.0: serde parsing is built-in, no feature flag needed.
 toml  = "1.0"
 
-argon2 = "0.5"
-sha2   = "0.10"
+argon2  = "0.5"
+sha2    = "0.10"
+subtle  = "2"
 hex    = "0.4"
 # rand_core 0.6 replaces rand = "0.8" entirely.
 # We only need OsRng + RngCore, both of which live in rand_core.
diff --git a/clippy_reports/summary.txt b/clippy_reports/summary.txt
index 3db62a6..62610ea 100644
--- a/clippy_reports/summary.txt
+++ b/clippy_reports/summary.txt
@@ -1,5 +1,5 @@
-dev-check summary — Tue 17 Mar 2026 12:34:13 PDT
-Duration: 163s
+dev-check summary — Tue 17 Mar 2026 17:44:42 PDT
+Duration: 177s
 Passed:   11
 Failed:   0
 Skipped:  0
diff --git a/src/chan_net/import.rs b/src/chan_net/import.rs
index 26f76be..c9c11bc 100644
--- a/src/chan_net/import.rs
+++ b/src/chan_net/import.rs
@@ -47,22 +47,17 @@ pub async fn do_import(state: &AppState, bytes: bytes::Bytes) -> Result<usize, A
         unpack_snapshot(&bytes).map_err(|e| AppError::BadRequest(e.to_string()))?;
 
     // ── 2. Ed25519 signature check ───────────────────────────────────────────
-    // Verification is not yet implemented. If a signature is present we log a
-    // warning and continue rather than silently ignoring it.  A future phase
-    // will verify the signature and reject snapshots that fail verification.
+    // Verification is not yet implemented. Reject any signed snapshot rather
+    // than silently accepting unverified data. A signed snapshot without
+    // verification offers zero authenticity guarantee and exposes the
+    // chan_net_posts table to arbitrary data injection.
     //
-    // SECURITY NOTE: Accepting signed snapshots without verification means
-    // signature presence currently offers no authenticity guarantee.  Do NOT
-    // promote this instance to production without completing Ed25519
-    // verification (see channet_build_plan.md § 6.3).
-    if let Some(ref sig) = metadata.signature {
-        tracing::warn!(
-            tx_id = %metadata.tx_id,
-            signature = %sig,
-            "Snapshot carries an Ed25519 signature — verification not yet \
-             implemented; signature will not be checked until Phase N. \
-             Proceeding without verification."
-        );
+    // This guard must be removed only when Phase N (Ed25519 verification) is
+    // fully implemented and tested (see channet_build_plan.md § 6.3).
+    if metadata.signature.is_some() {
+        return Err(AppError::BadRequest(
+            "Ed25519 signature verification is not yet implemented.              Signed snapshots are rejected until Phase N is complete.".into(),
+        ));
     }
 
     // ── 3. Ledger check — must happen BEFORE any DB write ───────────────────
diff --git a/src/chan_net/mod.rs b/src/chan_net/mod.rs
index b216839..f74980a 100644
--- a/src/chan_net/mod.rs
+++ b/src/chan_net/mod.rs
@@ -138,6 +138,39 @@ async fn json_body_limit_error(req: axum::http::Request<axum::body::Body>, next:
     response
 }
 
+// ─── ChanNet API key middleware ───────────────────────────────────────────────
+
+/// Middleware that enforces the pre-shared `X-ChanNet-Key` header on sensitive
+/// `ChanNet` endpoints (/chan/refresh and /chan/poll).
+///
+/// FIX[High-9]: These endpoints were previously unauthenticated. Any process
+/// that could reach the `ChanNet` bind address could trigger a full DB snapshot
+/// push (refresh) or pull-and-import from a remote node (poll) with no
+/// credentials. The API key is configured via `CHAN_NET_API_KEY` / settings.toml.
+///
+/// If `chan_net_api_key` is empty the request is rejected with 403 Forbidden
+/// (the feature is intentionally disabled rather than wide open).
+async fn verify_chan_api_key(req: axum::extract::Request, next: Next) -> Response {
+    use subtle::ConstantTimeEq as _;
+    let expected = &crate::config::CONFIG.chan_net_api_key;
+    if expected.is_empty() {
+        // API key not configured — refuse the request to prevent accidental
+        // exposure when an operator forgets to set the key.
+        return StatusCode::FORBIDDEN.into_response();
+    }
+    let provided = req
+        .headers()
+        .get("X-ChanNet-Key")
+        .and_then(|v| v.to_str().ok())
+        .unwrap_or("");
+    // Constant-time comparison to prevent timing side-channels.
+    if provided.as_bytes().ct_eq(expected.as_bytes()).into() {
+        next.run(req).await
+    } else {
+        StatusCode::UNAUTHORIZED.into_response()
+    }
+}
+
 /// Build the `ChanNet` router.
 ///
 /// All `/chan/*` routes are wired here. `DefaultBodyLimit` is applied
@@ -170,7 +203,14 @@ pub fn chan_router(state: AppState) -> Router {
             "/chan/import",
             post(import::chan_import).layer(DefaultBodyLimit::max(CONFIG.chan_net_max_body)),
         )
-        .route("/chan/refresh", post(refresh::chan_refresh))
-        .route("/chan/poll", post(poll::chan_poll))
+        // FIX[High-9]: /chan/refresh and /chan/poll now require X-ChanNet-Key.
+        .route(
+            "/chan/refresh",
+            post(refresh::chan_refresh).layer(middleware::from_fn(verify_chan_api_key)),
+        )
+        .route(
+            "/chan/poll",
+            post(poll::chan_poll).layer(middleware::from_fn(verify_chan_api_key)),
+        )
         .with_state(state)
 }
diff --git a/src/config.rs b/src/config.rs
index 8851902..94ad46b 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -94,6 +94,10 @@ struct SettingsFile {
     /// Address to bind the second `ChanNet` TCP listener.
     /// Default: 127.0.0.1:7070 (loopback-only; not exposed to the internet).
     chan_net_bind: Option<String>,
+    /// Pre-shared API key required for /chan/refresh and /chan/poll endpoints.
+    /// Must be at least 32 characters. Leave empty to disable the endpoints.
+    /// Set via `CHAN_NET_API_KEY` environment variable or `settings.toml`.
+    chan_net_api_key: Option<String>,
 }
 
 fn load_settings_file() -> SettingsFile {
@@ -307,6 +311,9 @@ pub struct Config {
     pub chan_net_max_body: usize,
     /// Maximum request body size for `/chan/command` (raw JSON). Default: 8 KiB.
     pub chan_net_command_max_body: usize,
+    /// Pre-shared key required on X-ChanNet-Key header for /chan/refresh and
+    /// /chan/poll. An empty string means those endpoints are disabled entirely.
+    pub chan_net_api_key: String,
 }
 
 impl Config {
@@ -474,6 +481,10 @@ impl Config {
             chan_net_bind,
             chan_net_max_body,
             chan_net_command_max_body,
+            chan_net_api_key: std::env::var("CHAN_NET_API_KEY")
+                .ok()
+                .or(s.chan_net_api_key)
+                .unwrap_or_default(),
         }
     }
 
diff --git a/src/db/boards.rs b/src/db/boards.rs
index cb10e17..9aa4d48 100644
--- a/src/db/boards.rs
+++ b/src/db/boards.rs
@@ -414,13 +414,18 @@ pub fn delete_board(conn: &rusqlite::Connection, id: i64) -> Result<Vec<String>>
 
 /// Per-board thread and post counts for the terminal stats display.
 pub fn get_per_board_stats(conn: &rusqlite::Connection) -> Vec<(String, i64, i64)> {
+    // FIX[High-11]: Replace N+1 correlated subqueries (2 subqueries × boards)
+    // with a single LEFT JOIN … GROUP BY pass. For a forum with 20 boards the
+    // old query executed 41 SQL statements; this executes 1.
     let Ok(mut stmt) = conn.prepare(
         "SELECT b.short_name, \
-                (SELECT COUNT(*) FROM threads WHERE board_id = b.id) AS tc, \
-                (SELECT COUNT(*) FROM posts p \
-                   JOIN threads t ON p.thread_id = t.id \
-                  WHERE t.board_id = b.id) AS pc \
-         FROM boards b ORDER BY b.short_name",
+                COUNT(DISTINCT t.id) AS tc, \
+                COUNT(DISTINCT p.id) AS pc \
+         FROM boards b \
+         LEFT JOIN threads t ON t.board_id = b.id \
+         LEFT JOIN posts   p ON p.thread_id = t.id \
+         GROUP BY b.id \
+         ORDER BY b.short_name",
     ) else {
         return vec![];
     };
diff --git a/src/db/chan_net.rs b/src/db/chan_net.rs
index 3af2c64..ccbd95b 100644
--- a/src/db/chan_net.rs
+++ b/src/db/chan_net.rs
@@ -64,12 +64,17 @@ pub fn insert_board_if_absent(conn: &Connection, short_name: &str, title: &str)
         return Ok(id);
     }
 
-    conn.execute(
+    // FIX[High-7]: Use INSERT … RETURNING id instead of last_insert_rowid().
+    // last_insert_rowid() is connection-local; in a multi-connection pool another
+    // write on the same connection between the INSERT and this call would return
+    // the wrong row ID.
+    let id: i64 = conn.query_row(
         "INSERT INTO boards (short_name, title, description, nsfw, max_threads, bump_limit)
-         VALUES (?1, ?2, '', 0, 100, 300)",
+         VALUES (?1, ?2, '', 0, 100, 300) RETURNING id",
         rusqlite::params![short_name, title],
+        |r| r.get(0),
     )?;
-    Ok(conn.last_insert_rowid())
+    Ok(id)
 }
 
 // ── insert_post_if_absent ─────────────────────────────────────────────────────
diff --git a/src/db/posts.rs b/src/db/posts.rs
index 5d33204..1523692 100644
--- a/src/db/posts.rs
+++ b/src/db/posts.rs
@@ -369,7 +369,7 @@ pub fn verify_deletion_token(
 /// # Errors
 /// Returns an error if the database operation fails.
 pub fn edit_post(
-    conn: &rusqlite::Connection,
+    conn: &mut rusqlite::Connection,
     post_id: i64,
     token: &str,
     new_body: &str,
@@ -382,54 +382,51 @@ pub fn edit_post(
         edit_window_secs
     };
 
-    // BEGIN IMMEDIATE acquires the write lock now, preventing any concurrent
-    // writer from modifying the post between our SELECT and UPDATE.
-    conn.execute_batch("BEGIN IMMEDIATE")
+    // FIX[High-6]: Use rusqlite's typed transaction API instead of raw
+    // execute_batch("BEGIN IMMEDIATE"). Raw execute_batch does not update
+    // rusqlite's internal transaction-tracking state; a subsequent call to
+    // unchecked_transaction() on the same pooled connection would attempt to
+    // start a nested transaction on top of an already-committed one, causing
+    // SQLITE_ERROR: cannot start a transaction within a transaction.
+    let tx = conn
+        .transaction_with_behavior(rusqlite::TransactionBehavior::Immediate)
         .context("Failed to begin IMMEDIATE transaction for edit_post")?;
 
-    let result: Result<bool> = (|| {
-        // FIX[HIGH-2]: Fetch token and created_at in a single round-trip.
-        let row: Option<(String, i64)> = conn
-            .query_row(
-                "SELECT deletion_token, created_at FROM posts WHERE id = ?1",
-                params![post_id],
-                |r| Ok((r.get(0)?, r.get(1)?)),
-            )
-            .optional()?;
-
-        let Some((stored_token, created_at)) = row else {
-            return Ok(false); // post does not exist
-        };
-
-        if !constant_time_eq(stored_token.as_bytes(), token.as_bytes()) {
-            return Ok(false);
-        }
-
-        let now = chrono::Utc::now().timestamp();
-        if now.saturating_sub(created_at) > window {
-            return Ok(false);
-        }
+    // FIX[HIGH-2]: Fetch token and created_at in a single round-trip inside
+    // the IMMEDIATE transaction so no concurrent writer can modify the post
+    // between our SELECT and UPDATE.
+    let row: Option<(String, i64)> = tx
+        .query_row(
+            "SELECT deletion_token, created_at FROM posts WHERE id = ?1",
+            params![post_id],
+            |r| Ok((r.get(0)?, r.get(1)?)),
+        )
+        .optional()
+        .context("Failed to query post for edit")?;
 
-        conn.execute(
-            "UPDATE posts SET body = ?1, body_html = ?2, edited_at = ?3 WHERE id = ?4",
-            params![new_body, new_body_html, now, post_id],
-        )?;
+    let Some((stored_token, created_at)) = row else {
+        return Ok(false); // post does not exist
+    };
 
-        // Belt-and-suspenders: confirm the row was actually written.
-        Ok(conn.changes() > 0)
-    })();
+    if !constant_time_eq(stored_token.as_bytes(), token.as_bytes()) {
+        return Ok(false);
+    }
 
-    match result {
-        Ok(updated) => {
-            conn.execute_batch("COMMIT")
-                .context("Failed to commit edit_post transaction")?;
-            Ok(updated)
-        }
-        Err(e) => {
-            let _ = conn.execute_batch("ROLLBACK");
-            Err(e)
-        }
+    let now = chrono::Utc::now().timestamp();
+    if now.saturating_sub(created_at) > window {
+        return Ok(false);
     }
+
+    tx.execute(
+        "UPDATE posts SET body = ?1, body_html = ?2, edited_at = ?3 WHERE id = ?4",
+        params![new_body, new_body_html, now, post_id],
+    )
+    .context("Failed to update post body")?;
+
+    let updated = tx.changes() > 0;
+    tx.commit()
+        .context("Failed to commit edit_post transaction")?;
+    Ok(updated)
 }
 
 /// Constant-time byte slice comparison to prevent timing side-channel attacks.
diff --git a/src/handlers/admin/moderation.rs b/src/handlers/admin/moderation.rs
index 4b37424..694a6b9 100644
--- a/src/handlers/admin/moderation.rs
+++ b/src/handlers/admin/moderation.rs
@@ -180,7 +180,7 @@ pub async fn admin_ban_and_delete(
                 "ban",
                 None,
                 &board_short,
-                &format!("inline ban — ip_hash={reason}… reason={}", &ip_hash_log),
+                &format!("inline ban — ip_hash={}… reason={reason}", &ip_hash_log),
             );
 
             // Delete post (or whole thread if OP)
diff --git a/src/handlers/board.rs b/src/handlers/board.rs
index 75f008f..ef768f5 100644
--- a/src/handlers/board.rs
+++ b/src/handlers/board.rs
@@ -483,14 +483,19 @@ pub async fn catalog(
     State(state): State<AppState>,
     Path(board_short): Path<String>,
     jar: CookieJar,
-) -> Result<(CookieJar, Html<String>)> {
+    req_headers: HeaderMap,
+) -> Result<Response> {
     let (jar, csrf) = ensure_csrf(jar);
 
-    let html = tokio::task::spawn_blocking({
+    // FIX[High-8]: Add ETag caching to the catalog. Previously every request
+    // fetched up to 200 full thread rows and re-rendered the entire page
+    // regardless of whether anything changed. The ETag is derived from the
+    // most-recently-bumped thread, mirroring the board index handler.
+    let (etag, html) = tokio::task::spawn_blocking({
         let pool = state.db.clone();
         let csrf_clone = csrf.clone();
         let jar_session = jar.get("chan_admin_session").map(|c| c.value().to_string());
-        move || -> Result<String> {
+        move || -> Result<(String, String)> {
             let conn = pool.get()?;
             let is_admin = jar_session
                 .as_deref()
@@ -498,22 +503,47 @@ pub async fn catalog(
             let board = db::get_board_by_short(&conn, &board_short)?
                 .ok_or_else(|| AppError::NotFound(format!("Board /{board_short}/ not found")))?;
             let threads = db::get_threads_for_board(&conn, board.id, 200, 0)?;
+            let max_bump = threads.iter().map(|t| t.bumped_at).max().unwrap_or(0);
+            let admin_tag = if is_admin { "-a" } else { "" };
+            let etag = format!("\"{max_bump}-catalog{admin_tag}\"");
             let all_boards = db::get_all_boards(&conn)?;
             let collapse_greentext = db::get_collapse_greentext(&conn);
-            Ok(templates::catalog_page(
+            let html = templates::catalog_page(
                 &board,
                 &threads,
                 &csrf_clone,
                 &all_boards,
                 is_admin,
                 collapse_greentext,
-            ))
+            );
+            Ok((etag, html))
         }
     })
     .await
     .map_err(|e| AppError::Internal(anyhow::anyhow!(e)))??;
 
-    Ok((jar, Html(html)))
+    let client_etag = req_headers
+        .get("if-none-match")
+        .and_then(|v| v.to_str().ok())
+        .unwrap_or("");
+    if client_etag == etag {
+        let mut resp = axum::http::Response::builder()
+            .status(axum::http::StatusCode::NOT_MODIFIED)
+            .body(axum::body::Body::empty())
+            .unwrap_or_default();
+        resp.headers_mut().insert(
+            "etag",
+            axum::http::HeaderValue::from_str(&etag)
+                .unwrap_or_else(|_| axum::http::HeaderValue::from_static("\"0\"")),
+        );
+        return Ok((jar, resp).into_response());
+    }
+
+    let mut resp = Html(html).into_response();
+    if let Ok(v) = axum::http::HeaderValue::from_str(&etag) {
+        resp.headers_mut().insert("etag", v);
+    }
+    Ok((jar, resp).into_response())
 }
 
 // ─── GET /:board/archive ──────────────────────────────────────────────────────
@@ -750,7 +780,10 @@ fn media_content_type(path: &std::path::Path) -> Option<&'static str> {
         Some("gif") => Some("image/gif"),
         Some("bmp") => Some("image/bmp"),
         Some("tiff" | "tif") => Some("image/tiff"),
-        Some("svg") => Some("image/svg+xml"),
+        // SVG is intentionally omitted: serving SVG inline allows stored XSS via
+        // embedded <script> tags. SVGs are not accepted as uploads (detect_mime_type
+        // rejects image/svg+xml) so this arm would never match, but the explicit
+        // absence here documents the security decision.
         Some("webm") => Some("video/webm"),
         Some("mp4") => Some("video/mp4"),
         Some("mp3") => Some("audio/mpeg"),
diff --git a/src/handlers/thread.rs b/src/handlers/thread.rs
index eb5bec3..6c2d974 100644
--- a/src/handlers/thread.rs
+++ b/src/handlers/thread.rs
@@ -488,7 +488,7 @@ pub async fn edit_post_post(
         let pool = state.db.clone();
         let csrf_clone = csrf_cookie.clone().unwrap_or_default();
         move || -> Result<EditOutcome> {
-            let conn = pool.get()?;
+            let mut conn = pool.get()?;
 
             let board = db::get_board_by_short(&conn, &board_short)?
                 .ok_or_else(|| AppError::NotFound(format!("Board /{board_short}/ not found")))?;
@@ -521,7 +521,7 @@ pub async fn edit_post_post(
             let body_html = crate::utils::sanitize::render_post_body(&escaped);
 
             let success = db::edit_post(
-                &conn,
+                &mut conn,
                 post_id,
                 &token,
                 &body_text,
diff --git a/src/media/ffmpeg.rs b/src/media/ffmpeg.rs
index 332b1fc..87fc784 100644
--- a/src/media/ffmpeg.rs
+++ b/src/media/ffmpeg.rs
@@ -219,6 +219,7 @@ pub fn probe_video_codec(path: &str) -> Result<String> {
 ///
 /// # Errors
 /// Returns an error if ffmpeg exits non-zero or cannot be spawned.
+#[allow(dead_code)]
 pub fn ffmpeg_transcode_to_webm(input: &Path, output: &Path) -> Result<()> {
     let in_str = path_to_str(input)?;
     let out_str = path_to_str(output)?;
@@ -255,6 +256,7 @@ pub fn ffmpeg_transcode_to_webm(input: &Path, output: &Path) -> Result<()> {
 ///
 /// # Errors
 /// Returns an error if ffmpeg exits non-zero or cannot be spawned.
+#[allow(dead_code)]
 pub fn ffmpeg_audio_waveform(input: &Path, output: &Path, width: u32, height: u32) -> Result<()> {
     let in_str = path_to_str(input)?;
     let out_str = path_to_str(output)?;
diff --git a/src/server/server.rs b/src/server/server.rs
index 44bd931..d1f10d3 100644
--- a/src/server/server.rs
+++ b/src/server/server.rs
@@ -230,15 +230,19 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     crate::detect::detect_tor(CONFIG.enable_tor_support, bind_port, &data_dir);
     println!();
 
+    // FIX[High-10]: Capture JoinHandles from start_worker_pool so the shutdown
+    // sequence can await each worker instead of blindly sleeping for 10 s.
+    // Previously the return value was silently discarded, making it impossible
+    // to know whether in-flight jobs had finished before the process exited.
+    let worker_queue = std::sync::Arc::new(crate::workers::JobQueue::new(pool.clone()));
+    let worker_handles =
+        crate::workers::start_worker_pool(&worker_queue, ffmpeg_available, ffmpeg_vp9_available);
+
     let state = AppState {
         db: pool.clone(),
         ffmpeg_available,
         ffmpeg_webp_available,
-        job_queue: {
-            let q = std::sync::Arc::new(crate::workers::JobQueue::new(pool.clone()));
-            crate::workers::start_worker_pool(&q, ffmpeg_available, ffmpeg_vp9_available);
-            q
-        },
+        job_queue: worker_queue,
         backup_progress: std::sync::Arc::new(crate::middleware::BackupProgress::new()),
         chan_ledger: if chan_net {
             Some(std::sync::Arc::new(parking_lot::Mutex::new(
@@ -439,11 +443,14 @@ pub async fn run_server(port_override: Option<u16>, chan_net: bool) -> anyhow::R
     .with_graceful_shutdown(shutdown_signal())
     .await?;
 
-    // Signal background workers to drain and exit (#7).
+    // FIX[High-10]: Signal workers and then await each handle with a per-worker
+    // timeout, replacing the previous blind 10-second sleep. Each worker is
+    // given up to 30 seconds to finish its in-flight job before we give up.
     info!("Signalling background workers to shut down…");
     worker_cancel.cancel();
-    // Give workers up to 10 seconds to finish in-flight jobs.
-    tokio::time::sleep(Duration::from_secs(10)).await;
+    for handle in worker_handles {
+        let _ = tokio::time::timeout(Duration::from_secs(30), handle).await;
+    }
 
     info!("Server shut down gracefully.");
     Ok(())
@@ -595,7 +602,8 @@ fn build_router(state: AppState) -> Router {
         // anonymous upload risk.
         .route(
             "/admin/restore",
-            post(crate::handlers::admin::admin_restore).layer(DefaultBodyLimit::disable()),
+            post(crate::handlers::admin::admin_restore)
+                .layer(DefaultBodyLimit::max(20 * 1024 * 1024 * 1024)), // 20 GiB — large but bounded
         )
         .route(
             "/admin/board/backup/{board}",
@@ -603,7 +611,8 @@ fn build_router(state: AppState) -> Router {
         )
         .route(
             "/admin/board/restore",
-            post(crate::handlers::admin::board_restore).layer(DefaultBodyLimit::disable()),
+            post(crate::handlers::admin::board_restore)
+                .layer(DefaultBodyLimit::max(20 * 1024 * 1024 * 1024)), // 20 GiB — large but bounded
         )
         // ── Disk-based backup management routes ──────────────────────────────
         .route(
diff --git a/src/templates/board.rs b/src/templates/board.rs
index feb1e4f..2bc4ed3 100644
--- a/src/templates/board.rs
+++ b/src/templates/board.rs
@@ -297,13 +297,14 @@ fn render_thread_summary(
         r#"<div class="post-meta">
 {sticky}{locked}
 <strong class="name">{name}</strong>
-<span class="post-time">{time}</span>
+<span class="post-time" data-utc="{ts}">{time}</span>
 <a class="post-num" href="/{board}/thread/{tid}">No.{op_id}</a>
 <a class="thread-id-link" href="/{board}/thread/{tid}" title="Thread #{tid}">[ #{tid} ]</a>
 </div>"#,
         sticky = sticky_label,
         locked = locked_label,
         name = escape_html(t.op_name.as_deref().unwrap_or("Anonymous")),
+        ts = t.created_at,
         time = fmt_ts_short(t.created_at),
         board = escape_html(board_short),
         tid = t.id,
diff --git a/src/templates/thread.rs b/src/templates/thread.rs
index 98e6798..5fc904e 100644
--- a/src/templates/thread.rs
+++ b/src/templates/thread.rs
@@ -389,7 +389,8 @@ pub fn render_post(
         .edited_at
         .map(|ts| {
             format!(
-                r#" <span class="post-edited" title="last edited {full}">(edited {short})</span>"#,
+                r#" <span class="post-edited" data-utc="{utc}" title="last edited {full}">(edited {short})</span>"#,
+                utc = ts,
                 full = fmt_ts(ts),
                 short = fmt_ts_short(ts),
             )
@@ -402,7 +403,7 @@ pub fn render_post(
         r##"<div class="post{op_class}" id="p{id}">
 <div class="post-meta">
 <strong class="name">{name}</strong>{tripcode}
-<span class="post-time">{time}</span>{edited}
+<span class="post-time" data-utc="{ts}">{time}</span>{edited}
 <a class="post-num" href="#p{id}" data-action="append-reply" data-id="{id}">No.{id}</a>
 <span class="backrefs" id="backrefs-{id}"></span>
 </div>"##,
@@ -410,6 +411,7 @@ pub fn render_post(
         id = post.id,
         name = escape_html(&post.name),
         tripcode = tripcode_html,
+        ts = post.created_at,
         time = fmt_ts_short(post.created_at),
         edited = edited_html,
     );
diff --git a/src/utils/files.rs b/src/utils/files.rs
index 43f2bb2..4455760 100644
--- a/src/utils/files.rs
+++ b/src/utils/files.rs
@@ -175,15 +175,11 @@ pub fn detect_mime_type(data: &[u8]) -> Result<&'static str> {
     if header.starts_with(b"\x49\x49\x2a\x00") || header.starts_with(b"\x4d\x4d\x00\x2a") {
         return Ok("image/tiff");
     }
-    // ── SVG (text XML) ────────────────────────────────────────────────────────
-    // SVG files start with either `<svg` or an XML declaration `<?xml`.
-    // Security note: SVG files can embed JavaScript via event handlers.
-    // The server must serve them with Content-Security-Policy or as attachments.
-    // Stored as-is; the media pipeline does not transcode SVG.
+    // ── SVG — detected but not accepted as an upload ──────────────────────────
+    // Rejection is enforced in save_upload(); detect_mime_type() returns the
+    // correct MIME type so callers can identify SVGs before deciding what to do.
     {
-        // Inspect up to 512 bytes of (possibly UTF-8 with BOM) text.
         let text_peek = data.get(..data.len().min(512)).unwrap_or(data);
-        // Strip a UTF-8 BOM if present.
         let text_peek = text_peek.strip_prefix(b"\xef\xbb\xbf").unwrap_or(text_peek);
         if text_peek.starts_with(b"<svg")
             || text_peek.starts_with(b"<SVG")
@@ -221,7 +217,7 @@ pub fn detect_mime_type(data: &[u8]) -> Result<&'static str> {
     }
 
     Err(anyhow::anyhow!(
-        "File type not allowed. Accepted: JPEG, PNG, GIF, WebP, BMP, TIFF, SVG, \
+        "File type not allowed. Accepted: JPEG, PNG, GIF, WebP, BMP, TIFF, \
          MP4, WebM, MP3, OGG, FLAC, WAV, M4A, AAC"
     ))
 }
@@ -300,6 +296,15 @@ pub fn save_upload(
 
     // Detect MIME type first so we can apply the correct size limit.
     let mime_type = detect_mime_type(data)?;
+
+    // SVG files can embed <script> tags and onload= handlers; reject them here
+    // with a clear message rather than letting them fall through to the generic
+    // "unsupported type" error.
+    if mime_type == "image/svg+xml" {
+        return Err(anyhow::anyhow!(
+            "File type not allowed. SVG files are not accepted because they can contain executable JavaScript."
+        ));
+    }
     let media_type = crate::models::MediaType::from_mime(mime_type)
         .ok_or_else(|| anyhow::anyhow!("Could not classify detected MIME type: {mime_type}"))?;
 
diff --git a/src/workers/mod.rs b/src/workers/mod.rs
index 39456af..f8b4413 100644
--- a/src/workers/mod.rs
+++ b/src/workers/mod.rs
@@ -33,7 +33,9 @@ use rand_core::{OsRng, RngCore};
 use serde::{Deserialize, Serialize};
 use std::num::NonZero;
 use std::path::PathBuf;
+use std::process::Stdio;
 use std::sync::Arc;
+use tokio::process::Command as TokioCommand;
 use tokio::sync::Notify;
 use tokio::time::{sleep, timeout, Duration};
 use tokio_util::sync::CancellationToken;
@@ -432,7 +434,19 @@ async fn handle_job(
 /// (libvpx-vp9 + libopus compiled in).  If either flag is false the job is
 /// skipped gracefully — no error is returned and the file remains as-is.
 ///
-/// A hard timeout of `CONFIG.ffmpeg_timeout_secs` is applied (2.3).
+/// FIX[Critical-3]: The previous implementation wrapped `std::process::Command`
+/// in `spawn_blocking` and applied `tokio::time::timeout`. When the timeout
+/// fired, Tokio stopped polling the future but the OS process kept running,
+/// occupying a blocking thread until it finished. The log message "ffmpeg killed"
+/// was factually incorrect.
+///
+/// The fix switches to `tokio::process::Command` with `kill_on_drop(true)`.
+/// The `Child` handle is driven by `child.wait_with_output()` directly on the
+/// async executor. When `timeout` fires, the future (and the `Child` inside it)
+/// is dropped, and `kill_on_drop` ensures the OS process receives SIGKILL
+/// immediately. No blocking thread is held during the wait.
+///
+/// A hard timeout of `CONFIG.ffmpeg_timeout_secs` is applied.
 async fn transcode_video(
     post_id: i64,
     file_path: String,
@@ -457,34 +471,90 @@ async fn transcode_video(
     let timeout_secs = CONFIG.ffmpeg_timeout_secs;
     let ffmpeg_timeout = Duration::from_secs(timeout_secs);
 
-    // Wrap the entire blocking transcode in a configurable timeout (2.3).
-    match timeout(
-        ffmpeg_timeout,
+    // Phase 1: prepare (file checks, codec probe, temp file creation) — blocking.
+    let prepare_result = {
+        let file_path2 = file_path.clone();
+        let board_short2 = board_short.clone();
         tokio::task::spawn_blocking(move || {
-            transcode_video_inner(post_id, &file_path, &board_short, &pool)
-        }),
-    )
-    .await
-    {
-        Ok(Ok(result)) => result,
-        Ok(Err(join_err)) => Err(anyhow::anyhow!("spawn_blocking panicked: {join_err}")),
+            transcode_video_prepare(post_id, &file_path2, &board_short2)
+        })
+        .await
+        .map_err(|e| anyhow::anyhow!("spawn_blocking panicked in prepare: {e}"))?
+    }?;
+
+    let Some((args, src_path, webm_abs, webm_rel, _webm_name, tmp)) = prepare_result else {
+        return Ok(()); // skip gracefully
+    };
+
+    // Phase 2: run ffmpeg via tokio::process::Command with kill_on_drop(true).
+    // When the timeout future is dropped, the Child is dropped, and kill_on_drop
+    // ensures the OS process receives SIGKILL immediately — unlike the previous
+    // spawn_blocking approach where the OS process kept running after timeout.
+    let child = TokioCommand::new("ffmpeg")
+        .args(&args)
+        .stderr(Stdio::piped())
+        .stdout(Stdio::null())
+        .kill_on_drop(true)
+        .spawn()
+        .map_err(|e| anyhow::anyhow!("failed to spawn ffmpeg: {e}"))?;
+
+    match timeout(ffmpeg_timeout, child.wait_with_output()).await {
+        Ok(Ok(output)) => {
+            if !output.status.success() {
+                return Err(anyhow::anyhow!(
+                    "ffmpeg exited with {}: {}",
+                    output.status,
+                    String::from_utf8_lossy(&output.stderr).trim()
+                ));
+            }
+        }
+        Ok(Err(e)) => return Err(anyhow::anyhow!("ffmpeg I/O error: {e}")),
         Err(_elapsed) => {
-            warn!("VideoTranscode: job for post {post_id} timed out after {timeout_secs}s — ffmpeg killed");
-            Err(anyhow::anyhow!(
+            // Child is dropped here; kill_on_drop fires SIGKILL on the OS process.
+            warn!(
+                "VideoTranscode: job for post {post_id} timed out after                  {timeout_secs}s — ffmpeg process killed"
+            );
+            return Err(anyhow::anyhow!(
                 "ffmpeg transcode timed out after {timeout_secs}s"
-            ))
+            ));
         }
     }
+
+    // Phase 3: persist temp file + DB updates — blocking.
+    tokio::task::spawn_blocking(move || {
+        transcode_video_finalise(
+            post_id, &file_path, &src_path, &webm_abs, &webm_rel, tmp, &pool,
+        )
+    })
+    .await
+    .map_err(|e| anyhow::anyhow!("spawn_blocking panicked in finalise: {e}"))?
 }
 
-fn transcode_video_inner(
+/// Prepare a video transcode: validate the source file, optionally probe the
+/// codec for `WebM` inputs, create a temp output file, and return the ffmpeg
+/// argument list along with the relevant paths.
+///
+/// Returns `Ok(None)` when the job should be skipped gracefully (unrecognised
+/// extension, or `WebM` that is already VP8/VP9). Returns `Ok(Some(...))` when
+/// ffmpeg should be invoked. `Err` for genuine failures.
+///
+/// This is a pure synchronous function; call it from `spawn_blocking` or at
+/// startup where blocking is acceptable.
+/// Parts returned by [`transcode_video_prepare`] when a transcode should proceed.
+type TranscodePrepareParts = (
+    Vec<String>,
+    PathBuf,
+    PathBuf,
+    String,
+    String,
+    tempfile::NamedTempFile,
+);
+
+fn transcode_video_prepare(
     post_id: i64,
     file_path: &str,
     board_short: &str,
-    pool: &DbPool,
-) -> Result<()> {
-    use anyhow::Context as _;
-
+) -> Result<Option<TranscodePrepareParts>> {
     let upload_dir = &CONFIG.upload_dir;
     let src = PathBuf::from(upload_dir).join(file_path);
 
@@ -495,7 +565,6 @@ fn transcode_video_inner(
         ));
     }
 
-    // Handle MP4 and WebM (AV1) inputs; skip anything else.
     let ext = src
         .extension()
         .and_then(|e| e.to_str())
@@ -503,16 +572,13 @@ fn transcode_video_inner(
         .to_ascii_lowercase();
     if ext != "mp4" && ext != "webm" {
         debug!("VideoTranscode: skipping unrecognised extension {file_path}");
-        return Ok(());
+        return Ok(None);
     }
 
-    // For WebM uploads, probe the codec first.  VP8/VP9 WebM is already
-    // in the correct format; only AV1 needs re-encoding.
     if ext == "webm" {
         let src_str = src
             .to_str()
             .ok_or_else(|| anyhow::anyhow!("Source path is non-UTF-8: {}", src.display()))?;
-
         match crate::media::ffmpeg::probe_video_codec(src_str) {
             Ok(ref codec) if codec == "av1" => {
                 info!("VideoTranscode: WebM/AV1 detected for post {post_id} — re-encoding to VP9");
@@ -522,14 +588,14 @@ fn transcode_video_inner(
                     "VideoTranscode: skipping WebM with codec '{}' for post {} (already VP8/VP9)",
                     codec, post_id
                 );
-                return Ok(());
+                return Ok(None);
             }
             Err(e) => {
                 warn!(
                     "VideoTranscode: could not probe codec for post {} ({}); skipping",
                     post_id, e
                 );
-                return Ok(());
+                return Ok(None);
             }
         }
     }
@@ -550,55 +616,101 @@ fn transcode_video_inner(
     let webm_abs = board_dir.join(&webm_name);
     let webm_rel = format!("{board_short}/{webm_name}");
 
-    // FIX[ATOMIC-WRITE]: For AV1 WebM inputs, src and webm_abs resolve to the
-    // same path (same stem, same .webm extension).  Write to a temp file in the
-    // same directory first, then atomically rename into place.  The rename is
-    // POSIX-atomic on the same filesystem, so readers always see either the old
-    // file or the new file — never a partial write.
-    //
-    // The temp file is given a .webm extension so that ffmpeg can identify the
-    // correct muxer from the output filename.  An extensionless temp file causes
-    // ffmpeg to fail immediately because it cannot determine the output format.
+    // FIX[ATOMIC-WRITE]: temp file in the same directory for POSIX-atomic rename.
     let tmp = tempfile::Builder::new()
         .suffix(".webm")
         .tempfile_in(&board_dir)
         .map_err(|e| anyhow::anyhow!("Failed to create temp file for WebM output: {e}"))?;
 
-    crate::media::ffmpeg::ffmpeg_transcode_to_webm(&src, tmp.path())?;
+    let tmp_path_str = tmp
+        .path()
+        .to_str()
+        .ok_or_else(|| anyhow::anyhow!("Temp file path is non-UTF-8"))?
+        .to_string();
+    let src_path_str = src
+        .to_str()
+        .ok_or_else(|| anyhow::anyhow!("Source path is non-UTF-8"))?
+        .to_string();
+
+    // Build the ffmpeg argument list as owned strings so it can cross the
+    // async boundary without lifetime issues.
+    let args: Vec<String> = [
+        "-loglevel",
+        "error",
+        "-i",
+        &src_path_str,
+        "-c:v",
+        "libvpx-vp9",
+        "-crf",
+        "30",
+        "-b:v",
+        "0",
+        "-c:a",
+        "libopus",
+        "-b:a",
+        "128k",
+        "-map_metadata",
+        "-1",
+        "-y",
+        &tmp_path_str,
+    ]
+    .iter()
+    .map(|s| (*s).to_string())
+    .collect();
+
+    Ok(Some((args, src, webm_abs, webm_rel, webm_name, tmp)))
+}
 
-    tmp.persist(&webm_abs)
+/// Finalise a completed video transcode: persist the temp file atomically,
+/// read the result for dedup, and update the database.
+///
+/// On any DB error the temp-turned-final `WebM` is removed to prevent leaks.
+fn transcode_video_finalise(
+    post_id: i64,
+    file_path: &str,
+    src: &PathBuf,
+    webm_abs: &PathBuf,
+    webm_rel: &str,
+    tmp: tempfile::NamedTempFile,
+    pool: &DbPool,
+) -> Result<()> {
+    use anyhow::Context as _;
+
+    let ext = src
+        .extension()
+        .and_then(|e| e.to_str())
+        .unwrap_or("")
+        .to_ascii_lowercase();
+
+    tmp.persist(webm_abs)
         .map_err(|e| anyhow::anyhow!("Failed to atomically rename WebM output: {e}"))?;
 
-    // Read the transcoded file for SHA-256 dedup and size logging.
     let webm_bytes =
-        std::fs::read(&webm_abs).context("Failed to read transcoded WebM for dedup hash")?;
+        std::fs::read(webm_abs).context("Failed to read transcoded WebM for dedup hash")?;
 
     let conn = pool.get()?;
 
-    // FIX[LEAK]: If any DB call below fails we must clean up the WebM we just
-    // wrote, otherwise it leaks on disk across all retry attempts.
+    // FIX[LEAK]: clean up on DB failure.
     let db_result = (|| -> Result<()> {
         let updated =
-            crate::db::update_all_posts_file_path(&conn, file_path, &webm_rel, "video/webm")?;
+            crate::db::update_all_posts_file_path(&conn, file_path, webm_rel, "video/webm")?;
         if updated == 0 {
-            crate::db::update_post_file_info(&conn, post_id, &webm_rel, "video/webm")?;
+            crate::db::update_post_file_info(&conn, post_id, webm_rel, "video/webm")?;
         }
-
         let thumb_path = crate::db::get_post_thumb_path(&conn, post_id)?.unwrap_or_default();
         let webm_sha256 = crate::utils::crypto::sha256_hex(&webm_bytes);
         crate::db::delete_file_hash_by_path(&conn, file_path)?;
-        crate::db::record_file_hash(&conn, &webm_sha256, &webm_rel, &thumb_path, "video/webm")?;
+        crate::db::record_file_hash(&conn, &webm_sha256, webm_rel, &thumb_path, "video/webm")?;
         Ok(())
     })();
 
     if let Err(e) = db_result {
-        // Remove the WebM we wrote so it doesn't accumulate across retries.
-        let _ = std::fs::remove_file(&webm_abs);
+        let _ = std::fs::remove_file(webm_abs);
         return Err(e);
     }
 
     if ext != "webm" {
-        let _ = std::fs::remove_file(&src);
+        let _ = std::fs::remove_file(src);
     }
 
     info!(
@@ -614,7 +726,20 @@ fn transcode_video_inner(
 // ─── AudioWaveform ────────────────────────────────────────────────────────────
 
 /// Generate a waveform PNG thumbnail for an audio upload via ffmpeg.
-/// A hard timeout of `CONFIG.ffmpeg_timeout_secs` is applied (2.3).
+///
+/// FIX[Critical-3]: Same `kill_on_drop` fix as `transcode_video`. Uses
+/// `tokio::process::Command` so the OS process is actually killed when the
+/// timeout fires, rather than continuing to run in an abandoned blocking thread.
+/// Parts produced by [`waveform_prepare`] that are consumed by the ffmpeg
+/// phase and [`waveform_finalise`].
+type WaveformPrepareParts = (
+    Vec<String>,
+    PathBuf,
+    String,
+    Vec<u8>,
+    tempfile::NamedTempFile,
+);
+
 async fn generate_waveform(
     post_id: i64,
     file_path: String,
@@ -629,94 +754,133 @@ async fn generate_waveform(
     let timeout_secs = CONFIG.ffmpeg_timeout_secs;
     let ffmpeg_timeout = Duration::from_secs(timeout_secs);
 
-    match timeout(
-        ffmpeg_timeout,
-        tokio::task::spawn_blocking(move || {
-            generate_waveform_inner(post_id, &file_path, &board_short, &pool)
-        }),
-    )
-    .await
-    {
-        Ok(Ok(result)) => result,
-        Ok(Err(join_err)) => Err(anyhow::anyhow!("spawn_blocking panicked: {join_err}")),
+    // Phase 1: prepare (file I/O, temp file creation) — blocking.
+    let (args, png_abs, png_rel, data, tmp_png) = {
+        let file_path2 = file_path.clone();
+        let board_short2 = board_short.clone();
+        tokio::task::spawn_blocking(move || waveform_prepare(&file_path2, &board_short2))
+            .await
+            .map_err(|e| anyhow::anyhow!("spawn_blocking panicked in waveform prepare: {e}"))??
+    };
+
+    // Phase 2: run ffmpeg with kill_on_drop.
+    let child = TokioCommand::new("ffmpeg")
+        .args(&args)
+        .stderr(Stdio::piped())
+        .stdout(Stdio::null())
+        .kill_on_drop(true)
+        .spawn()
+        .map_err(|e| anyhow::anyhow!("failed to spawn ffmpeg for waveform: {e}"))?;
+
+    match timeout(ffmpeg_timeout, child.wait_with_output()).await {
+        Ok(Ok(output)) => {
+            if !output.status.success() {
+                return Err(anyhow::anyhow!(
+                    "ffmpeg waveform exited with {}: {}",
+                    output.status,
+                    String::from_utf8_lossy(&output.stderr).trim()
+                ));
+            }
+        }
+        Ok(Err(e)) => return Err(anyhow::anyhow!("ffmpeg waveform I/O error: {e}")),
         Err(_elapsed) => {
-            warn!("AudioWaveform: job for post {post_id} timed out after {timeout_secs}s");
-            Err(anyhow::anyhow!(
+            warn!("AudioWaveform: job for post {post_id} timed out after {timeout_secs}s — ffmpeg process killed");
+            return Err(anyhow::anyhow!(
                 "ffmpeg waveform timed out after {timeout_secs}s"
-            ))
+            ));
         }
     }
+
+    // Phase 3: persist + DB update — blocking.
+    tokio::task::spawn_blocking(move || {
+        waveform_finalise(post_id, &png_abs, &png_rel, &data, tmp_png, &pool)
+    })
+    .await
+    .map_err(|e| anyhow::anyhow!("spawn_blocking panicked in waveform finalise: {e}"))?
 }
 
-fn generate_waveform_inner(
-    post_id: i64,
-    file_path: &str,
-    board_short: &str,
-    pool: &DbPool,
-) -> Result<()> {
+/// Blocking prepare phase for [`generate_waveform`]: validate the source,
+/// read its bytes, create a temp output file, and build the ffmpeg arg list.
+fn waveform_prepare(file_path: &str, board_short: &str) -> Result<WaveformPrepareParts> {
     use anyhow::Context as _;
-
     let upload_dir = &CONFIG.upload_dir;
     let src = PathBuf::from(upload_dir).join(file_path);
-
     if !src.exists() {
         return Err(anyhow::anyhow!(
             "Audio source not found for waveform: {}",
             src.display()
         ));
     }
-
     let stem = src
         .file_stem()
         .and_then(|s| s.to_str())
         .ok_or_else(|| anyhow::anyhow!("Malformed audio filename: {}", src.display()))?
         .to_string();
-
-    // Read the audio file for SHA-256 dedup; the path is passed directly to
-    // ffmpeg so no redundant write-to-temp-and-read-back is needed.
     let data = std::fs::read(&src)?;
     let thumb_size = CONFIG.thumb_size;
-
-    let board_dir = PathBuf::from(upload_dir).join(board_short);
-    let thumbs_dir = board_dir.join("thumbs");
+    let thumbs_dir = PathBuf::from(upload_dir).join(board_short).join("thumbs");
     std::fs::create_dir_all(&thumbs_dir)?;
-
     let png_name = format!("{stem}.png");
     let png_abs = thumbs_dir.join(&png_name);
     let png_rel = format!("{board_short}/thumbs/{png_name}");
-
-    // Write the waveform to a temp file in the same directory, then atomically
-    // rename it into place to avoid partial reads from concurrent web requests.
     let tmp_png = tempfile::Builder::new()
         .prefix("chan_wav_")
         .suffix(".png")
         .tempfile_in(&thumbs_dir)
         .context("Failed to create temp file for waveform PNG")?;
+    let src_str = src
+        .to_str()
+        .ok_or_else(|| anyhow::anyhow!("Source path is non-UTF-8"))?
+        .to_string();
+    let tmp_str = tmp_png
+        .path()
+        .to_str()
+        .ok_or_else(|| anyhow::anyhow!("Temp path is non-UTF-8"))?
+        .to_string();
+    let filter = format!(
+        "showwavespic=s={thumb_size}x{}:colors=0x888888",
+        thumb_size / 2
+    );
+    let args: Vec<String> = [
+        "-loglevel",
+        "error",
+        "-i",
+        &src_str,
+        "-filter_complex",
+        &filter,
+        "-frames:v",
+        "1",
+        "-y",
+        &tmp_str,
+    ]
+    .iter()
+    .map(|s| (*s).to_string())
+    .collect();
+    Ok((args, png_abs, png_rel, data, tmp_png))
+}
 
-    crate::media::ffmpeg::ffmpeg_audio_waveform(&src, tmp_png.path(), thumb_size, thumb_size / 2)?;
-
+/// Blocking finalise phase for [`generate_waveform`]: atomically persist the
+/// temp PNG and update the database with the new thumb path.
+fn waveform_finalise(
+    post_id: i64,
+    png_abs: &std::path::Path,
+    png_rel: &str,
+    data: &[u8],
+    tmp_png: tempfile::NamedTempFile,
+    pool: &DbPool,
+) -> Result<()> {
+    use anyhow::Context as _;
     tmp_png
-        .persist(&png_abs)
+        .persist(png_abs)
         .context("Failed to atomically rename waveform PNG into place")?;
-
     let conn = pool.get()?;
-    crate::db::update_post_thumb_path(&conn, post_id, &png_rel)?;
-
-    // FIX[DEDUP-STALE]: The file_hashes dedup table was not updated after the
-    // waveform PNG was generated, so it still held the SVG placeholder path as
-    // thumb_path.  Any future post uploading the same audio file and hitting the
-    // dedup cache via find_file_by_hash would receive the stale SVG path instead
-    // of the waveform PNG.  We now update the dedup record so that all future
-    // dedup hits for this audio file correctly inherit the waveform thumbnail.
-    //
-    // We compute the SHA-256 of the audio data to identify the dedup row without
-    // a separate DB lookup, then refresh its thumb_path via a targeted UPDATE.
-    let audio_sha256 = crate::utils::crypto::sha256_hex(&data);
+    crate::db::update_post_thumb_path(&conn, post_id, png_rel)?;
+    // FIX[DEDUP-STALE]: update dedup record with final thumb path.
+    let audio_sha256 = crate::utils::crypto::sha256_hex(data);
     let _ = conn.execute(
         "UPDATE file_hashes SET thumb_path = ?1 WHERE sha256 = ?2",
         rusqlite::params![png_rel, audio_sha256],
     );
-
     info!("AudioWaveform done: post {post_id} → {png_rel}");
     Ok(())
 }
diff --git a/static/main.js b/static/main.js
index 126104f..d917332 100644
--- a/static/main.js
+++ b/static/main.js
@@ -6,6 +6,48 @@
 
 'use strict';
 
+// ─── Localize post timestamps to device timezone ──────────────────────────────
+
+function localizePostTimes(root) {
+  var els = (root || document).querySelectorAll(
+    'span.post-time[data-utc], span.post-edited[data-utc]'
+  );
+  var days = ['Sun','Mon','Tue','Wed','Thu','Fri','Sat'];
+  els.forEach(function (el) {
+    var ts = parseInt(el.getAttribute('data-utc'), 10);
+    if (isNaN(ts)) return;
+    var d = new Date(ts * 1000);
+    var mm  = String(d.getMonth() + 1).padStart(2, '0');
+    var dd  = String(d.getDate()).padStart(2, '0');
+    var yy  = String(d.getFullYear()).slice(-2);
+    var day = days[d.getDay()];
+    var hh  = String(d.getHours()).padStart(2, '0');
+    var min = String(d.getMinutes()).padStart(2, '0');
+    var ss  = String(d.getSeconds()).padStart(2, '0');
+    var local = mm + '/' + dd + '/' + yy + '(' + day + ')' + hh + ':' + min + ':' + ss;
+    if (el.classList.contains('post-edited')) {
+      el.title = 'last edited ' + local;
+      el.textContent = '(edited ' + local + ')';
+    } else {
+      el.textContent = local;
+    }
+    el.removeAttribute('data-utc'); // prevent double-processing
+  });
+}
+
+document.addEventListener('DOMContentLoaded', function () {
+  localizePostTimes(document);
+});
+
+// Hook into new-post insertions (thread auto-update, quote popups, etc.)
+(function () {
+  var _origLocalize = window._onNewPostsInserted;
+  window._onNewPostsInserted = function (container) {
+    localizePostTimes(container);
+    if (_origLocalize) _origLocalize(container);
+  };
+}());
+
 // ─── Post form toggle & mobile drawer ────────────────────────────────────────
 
 function togglePostForm() {