diff --git a/.github/settings.yml b/.github/settings.yml
new file mode 100644
index 0000000..c3a0d12
--- /dev/null
+++ b/.github/settings.yml
@@ -0,0 +1,23 @@
+branches:
+  - name: main
+    protection:
+      required_pull_request_reviews:
+        required_approving_review_count: 1
+        require_code_owner_reviews: false
+        dismiss_stale_reviews: true
+      required_status_checks:
+        strict: true
+        checks:
+          - context: "CI / Test on Node.js 20.x"
+          - context: "CI / Test on Node.js 22.x"
+          - context: "CI / Coverage Gate"
+          - context: "CI / Lint"
+          - context: "CI / Codex Compatibility Smoke"
+          - context: "CI / Cross-Platform Smoke (windows-latest)"
+          - context: "CI / Cross-Platform Smoke (macos-latest)"
+          - context: "CodeQL / Analyze"
+          - context: "Secret Scan / Gitleaks"
+          - context: "Supply Chain / Dependency Review"
+          - context: "Supply Chain / SCA and License Gate"
+      enforce_admins: true
+      restrictions: null
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e3c4f0b..3df09be 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,12 +6,17 @@ on:
   pull_request:
     branches: [main]
 
+concurrency:
+  group: ci-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   test:
     name: Test on Node.js ${{ matrix.node-version }}
     runs-on: ubuntu-latest
 
     strategy:
+      fail-fast: false
       matrix:
         node-version: [20.x, 22.x]
 
@@ -23,7 +28,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
@@ -44,15 +49,48 @@ jobs:
       - name: Run type check
         run: npm run typecheck
 
-      - name: Run tests with coverage
-        run: npm run coverage
-
       - name: Build
         run: npm run build
 
+      - name: Upload build artifact
+        if: matrix.node-version == '20.x'
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist-node20
+          path: dist/
+
+      - name: Run tests
+        run: npm test
+
+  coverage-gate:
+    name: Coverage Gate
+    runs-on: ubuntu-latest
+    needs: test
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Download build artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist-node20
+          path: dist/
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run tests with coverage threshold gate
+        run: npm run test:coverage
+
   lint:
     name: Lint
-
     runs-on: ubuntu-latest
 
     steps:
@@ -63,7 +101,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
@@ -83,10 +121,41 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          cache: 'npm'
+          cache: npm
 
       - name: Install dependencies
         run: npm ci
 
       - name: Run Codex compatibility tests
         run: npm run test -- test/codex.test.ts test/host-codex-prompt.test.ts test/request-transformer.test.ts test/fetch-helpers.test.ts
+
+  cross-platform-smoke:
+    name: Cross-Platform Smoke (${{ matrix.os }})
+    runs-on: ${{ matrix.os }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [windows-latest, macos-latest]
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run smoke typecheck
+        run: npm run typecheck
+
+      - name: Build
+        run: npm run build
+
+      - name: Run smoke tests
+        run: npm run test -- test/runtime-paths.test.ts test/codex-bin-wrapper.test.ts test/file-lock.test.ts test/background-jobs.test.ts
diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml
new file mode 100644
index 0000000..c596741
--- /dev/null
+++ b/.github/workflows/secret-scan.yml
@@ -0,0 +1,28 @@
+name: Secret Scan
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 5 * * 1"
+
+jobs:
+  gitleaks:
+    name: Gitleaks
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run gitleaks scanner
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/supply-chain.yml b/.github/workflows/supply-chain.yml
new file mode 100644
index 0000000..5a461d6
--- /dev/null
+++ b/.github/workflows/supply-chain.yml
@@ -0,0 +1,81 @@
+name: Supply Chain
+
+on:
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 4 * * 1"
+
+env:
+  CODEX_LICENSE_DENYLIST: "GPL-2.0,GPL-3.0,AGPL-3.0"
+
+jobs:
+  dependency-review:
+    name: Dependency Review
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Dependency review
+        uses: actions/dependency-review-action@v4
+        with:
+          fail-on-severity: high
+          fail-on-scopes: runtime
+          deny-licenses: ${{ env.CODEX_LICENSE_DENYLIST }}
+
+  sca-and-license:
+    name: SCA and License Gate
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Run vulnerability policy gate
+        run: npm run audit:ci
+
+      - name: Run license policy gate
+        run: npm run license:check
+
+  sbom:
+    name: Generate SBOM
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: npm
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Generate CycloneDX SBOM
+        run: npm run sbom
+
+      - name: Upload SBOM artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sbom-cyclonedx
+          path: sbom.cdx.json
diff --git a/README.md b/README.md
index e254c6a..8445939 100644
--- a/README.md
+++ b/README.md
@@ -128,6 +128,7 @@ codex auth doctor --fix
 | `codex auth fix --dry-run` | Preview safe repairs |
 | `codex auth fix --live --model gpt-5-codex` | Run repairs with live probe model |
 | `codex auth doctor --fix` | Diagnose and apply safe fixes |
+| `codex auth rotate-secrets --json --idempotency-key <run-id>` | Re-encrypt stored secrets with safe retry semantics for automation |
 
 ---
 
diff --git a/docs/README.md b/docs/README.md
index 2accdd9..2cb64b5 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -59,6 +59,7 @@ Canonical documentation map for `codex-multi-auth`.
 | [development/REPOSITORY_SCOPE.md](development/REPOSITORY_SCOPE.md) | Ownership map by repository path |
 | [development/TESTING.md](development/TESTING.md) | Validation gates and test matrix |
 | [development/TUI_PARITY_CHECKLIST.md](development/TUI_PARITY_CHECKLIST.md) | Dashboard UX parity checklist |
+| [runbooks/README.md](runbooks/README.md) | Operations and incident response playbooks |
 | [benchmarks/code-edit-format-benchmark.md](benchmarks/code-edit-format-benchmark.md) | Benchmark methodology and outputs |
 
 ---
diff --git a/docs/configuration.md b/docs/configuration.md
index 172296c..6e13083 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -68,6 +68,12 @@ These are safe for most operators and frequently used in day-to-day workflows.
 | `CODEX_TUI_GLYPHS=ascii|unicode|auto` | Glyph mode selection |
 | `CODEX_AUTH_FETCH_TIMEOUT_MS=<ms>` | HTTP request timeout override |
 | `CODEX_AUTH_STREAM_STALL_TIMEOUT_MS=<ms>` | Stream stall timeout override |
+| `CODEX_AUTH_ENCRYPTION_KEY=<32-byte-random-key>` | Enable at-rest encryption for stored account secrets (high-entropy key material only) |
+| `CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY=<32-byte-random-key>` | Previous high-entropy key used during staged secret rotation |
+| `CODEX_AUTH_ROLE=admin\|operator\|viewer` | CLI authorization role baseline |
+
+For `CODEX_AUTH_ENCRYPTION_KEY` and `CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY`, use 32-byte
+random key material from a secret manager. Do not use user-memorable passwords.
 
 ---
 
@@ -81,6 +87,14 @@ Use these only when debugging, controlled benchmarking, or maintainer workflows.
 - `CODEX_CLI_ACCOUNTS_PATH`
 - `CODEX_CLI_AUTH_PATH`
 - refresh lease tuning variables (`CODEX_AUTH_REFRESH_LEASE*`)
+- `CODEX_AUTH_BREAK_GLASS`
+- `CODEX_AUTH_ABAC_READ_ONLY`
+- `CODEX_AUTH_ABAC_DENY_ACTIONS`
+- `CODEX_AUTH_ABAC_DENY_COMMANDS`
+- `CODEX_AUTH_ABAC_REQUIRE_INTERACTIVE`
+- `CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY`
+- `CODEX_AUTH_REDACT_JSON_OUTPUT`
+- retention tuning variables (`CODEX_AUTH_RETENTION_*`)
 
 Full inventory: [development/CONFIG_FIELDS.md](development/CONFIG_FIELDS.md)
 
diff --git a/docs/development/CONFIG_FIELDS.md b/docs/development/CONFIG_FIELDS.md
index 9a3ee4c..54350ed 100644
--- a/docs/development/CONFIG_FIELDS.md
+++ b/docs/development/CONFIG_FIELDS.md
@@ -195,6 +195,21 @@ Used only for host plugin mode through the host runtime config file.
 | `CODEX_TUI_GLYPHS` | TUI glyph mode |
 | `CODEX_AUTH_FETCH_TIMEOUT_MS` | Request timeout override |
 | `CODEX_AUTH_STREAM_STALL_TIMEOUT_MS` | Stream stall timeout override |
+| `CODEX_AUTH_ENCRYPTION_KEY` | Primary high-entropy 32-byte key for at-rest secret encryption |
+| `CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY` | Previous high-entropy 32-byte key for staged secret rotation |
+| `CODEX_AUTH_ROLE` | Authorization role baseline (`admin`, `operator`, `viewer`) |
+| `CODEX_AUTH_BREAK_GLASS` | Emergency authorization bypass toggle |
+| `CODEX_AUTH_ABAC_READ_ONLY` | Deny mutating actions while allowing read-only command paths |
+| `CODEX_AUTH_ABAC_DENY_ACTIONS` | Comma-separated action denies (`accounts:write`, etc.) |
+| `CODEX_AUTH_ABAC_DENY_COMMANDS` | Comma-separated command denies (`rotate-secrets`, etc.) |
+| `CODEX_AUTH_ABAC_REQUIRE_INTERACTIVE` | Comma-separated actions that require interactive terminal |
+| `CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY` | Comma-separated actions that require idempotency key context |
+| `CODEX_AUTH_REDACT_JSON_OUTPUT` | Redact sensitive values in JSON command output |
+| `CODEX_AUTH_RETENTION_LOG_DAYS` | Log retention window |
+| `CODEX_AUTH_RETENTION_CACHE_DAYS` | Cache retention window |
+| `CODEX_AUTH_RETENTION_FLAGGED_DAYS` | Flagged-account file retention window |
+| `CODEX_AUTH_RETENTION_QUOTA_CACHE_DAYS` | Quota cache retention window |
+| `CODEX_AUTH_RETENTION_DLQ_DAYS` | Dead-letter queue retention window |
 | `CODEX_MULTI_AUTH_SYNC_CODEX_CLI` | Toggle Codex CLI state sync |
 | `CODEX_MULTI_AUTH_REAL_CODEX_BIN` | Force official Codex binary path |
 | `CODEX_MULTI_AUTH_BYPASS` | Bypass local auth handling |
diff --git a/docs/development/TESTING.md b/docs/development/TESTING.md
index 9292b90..6695f74 100644
--- a/docs/development/TESTING.md
+++ b/docs/development/TESTING.md
@@ -24,6 +24,8 @@ npm run typecheck
 npm run lint
 npm test
 npm run build
+npm run audit:ci
+npm run license:check
 ```
 
 Optional:
@@ -42,8 +44,19 @@ npm run bench:edit-formats:smoke
 1. `npm run typecheck`
 2. `npm run lint`
 3. `npm test`
-4. `npm run build`
-5. run docs command checks for newly documented command paths
+4. `npm run coverage`
+5. `npm run build`
+6. `npm run audit:ci`
+7. `npm run license:check`
+8. run docs command checks for newly documented command paths
+
+### Upgrade Notes (PR #32)
+
+- Gate ordering was updated so `npm run coverage` runs before `npm run build`.
+- Two required supply-chain checks were added to the standard local sequence:
+  - `npm run audit:ci`
+  - `npm run license:check`
+- If you maintain local CI wrappers or pre-push scripts, update them to use the order above and rerun once to refresh baselines.
 
 * * *
 
diff --git a/docs/index.md b/docs/index.md
index 9a59b2d..ecc3dbf 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -46,4 +46,5 @@ Legacy package/path guidance is documented in [upgrade.md](upgrade.md) and [refe
 - Command flags and hotkeys: [reference/commands.md](reference/commands.md)
 - Settings and overrides: [reference/settings.md](reference/settings.md)
 - Storage path matrix: [reference/storage-paths.md](reference/storage-paths.md)
-- Full docs portal: [README.md](README.md)
\ No newline at end of file
+- Operations runbooks: [runbooks/README.md](runbooks/README.md)
+- Full docs portal: [README.md](README.md)
diff --git a/docs/privacy.md b/docs/privacy.md
index 4fa1534..4acf565 100644
--- a/docs/privacy.md
+++ b/docs/privacy.md
@@ -20,6 +20,7 @@
 | Accounts | `~/.codex/multi-auth/openai-codex-accounts.json` | Primary saved account pool |
 | Flagged accounts | `~/.codex/multi-auth/openai-codex-flagged-accounts.json` | Accounts with hard auth failures |
 | Quota cache | `~/.codex/multi-auth/quota-cache.json` | Cached quota snapshots |
+| Background DLQ | `~/.codex/multi-auth/background-job-dlq.jsonl` | Failed background jobs after retry exhaustion |
 | Logs | `~/.codex/multi-auth/logs/codex-plugin/` | Optional diagnostics |
 | Prompt/cache files | `~/.codex/multi-auth/cache/` | Cached prompt/template metadata |
 | Codex CLI state | `~/.codex/accounts.json`, `~/.codex/auth.json` | Official Codex CLI files |
@@ -48,6 +49,35 @@ Current external destinations:
 
 Raw body logs may contain sensitive payload text. Treat logs as sensitive data and rotate/delete as needed.
 
+`CODEX_AUTH_REDACT_JSON_OUTPUT=1` redacts sensitive values from JSON command output for automation logs.
+
+---
+
+## Secret Encryption and Rotation
+
+- Account refresh/access tokens can be encrypted at rest when `CODEX_AUTH_ENCRYPTION_KEY` is set.
+- Key rotation supports staged migration with `CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY`.
+- Both key variables should be 32-byte high-entropy key material (not passwords).
+- Rotation command:
+
+```bash
+codex auth rotate-secrets --json
+```
+
+Store encryption keys in a secret manager or CI secret store, not in repository files.
+
+---
+
+## Retention
+
+Startup retention cleanup removes expired local artifacts based on:
+
+- `CODEX_AUTH_RETENTION_LOG_DAYS`
+- `CODEX_AUTH_RETENTION_CACHE_DAYS`
+- `CODEX_AUTH_RETENTION_FLAGGED_DAYS`
+- `CODEX_AUTH_RETENTION_QUOTA_CACHE_DAYS`
+- `CODEX_AUTH_RETENTION_DLQ_DAYS`
+
 ---
 
 ## Data Cleanup
diff --git a/docs/reference/commands.md b/docs/reference/commands.md
index 43c877f..4cd736e 100644
--- a/docs/reference/commands.md
+++ b/docs/reference/commands.md
@@ -38,6 +38,7 @@ Compatibility aliases are supported:
 | `codex auth report` | Generate full health report |
 | `codex auth fix` | Apply safe account storage fixes |
 | `codex auth doctor` | Run diagnostics and optional repairs |
+| `codex auth rotate-secrets` | Re-encrypt account secrets using current encryption key |
 
 ---
 
@@ -45,13 +46,16 @@ Compatibility aliases are supported:
 
 | Flag | Applies to | Meaning |
 | --- | --- | --- |
-| `--json` | verify-flagged, forecast, report, fix, doctor | Print machine-readable output |
+| `--json` | verify-flagged, forecast, report, fix, doctor, rotate-secrets | Print machine-readable output |
 | `--live` | forecast, report, fix | Use live probe before decisions/output |
 | `--dry-run` | verify-flagged, fix, doctor | Preview without writing storage |
 | `--model <model>` | forecast, report, fix | Specify model for live probe paths |
 | `--out <path>` | report | Write report output to file |
 | `--fix` | doctor | Apply safe repairs |
 | `--no-restore` | verify-flagged | Verify only; do not restore healthy flagged accounts |
+| `--page-size <n>` | list, status (`--json`) | Page size for JSON list output (1-200) |
+| `--cursor <cursor>` | list, status (`--json`) | Cursor token for JSON list pagination |
+| `--idempotency-key <key>` | rotate-secrets | Safe retry key for automation |
 
 ---
 
@@ -108,6 +112,7 @@ Repair and recovery:
 codex auth fix --dry-run
 codex auth fix --live --model gpt-5-codex
 codex auth doctor --fix
+codex auth rotate-secrets --json --idempotency-key "$CI_JOB_ID"
 ```
 
 ---
diff --git a/docs/reference/error-contracts.md b/docs/reference/error-contracts.md
index 62694d4..2196f1a 100644
--- a/docs/reference/error-contracts.md
+++ b/docs/reference/error-contracts.md
@@ -31,17 +31,24 @@ Examples:
 
 The following commands support `--json` and produce pretty-printed JSON objects:
 
+- `codex auth list --json`
 - `codex auth forecast --json`
 - `codex auth report --json`
 - `codex auth fix --json`
 - `codex auth doctor --json`
 - `codex auth verify-flagged --json`
+- `codex auth rotate-secrets --json`
 
 Compatibility guarantees:
 
 - Output is valid JSON.
 - `command` field identifies the command family.
+- `schemaVersion` is required for machine-consumable contracts.
 - Documented top-level sections remain stable unless a migration note is provided.
+- Optional redaction mode (`CODEX_AUTH_REDACT_JSON_OUTPUT=1`) masks sensitive fields without changing schema shape.
+- Paginated list output uses `pagination.{cursor,nextCursor,hasMore,pageSize}`.
+
+For `rotate-secrets`, automation may provide `--idempotency-key <key>` to avoid duplicate side effects on retried runs.
 
 ---
 
diff --git a/docs/reference/public-api.md b/docs/reference/public-api.md
index 865189f..d916a37 100644
--- a/docs/reference/public-api.md
+++ b/docs/reference/public-api.md
@@ -63,6 +63,24 @@ Positional signatures are preserved for backward compatibility.
 
 ---
 
+## API Standards Baseline
+
+Where this repository exposes machine-readable command output or future HTTP endpoints, use these defaults:
+
+- Versioning:
+  - include `schemaVersion` in JSON command output.
+  - increment schema version only when contract shape changes.
+- Idempotency:
+  - mutating automation flows should support caller-provided idempotency keys.
+  - repeated requests with the same idempotency key should not duplicate side effects.
+- Pagination:
+  - list-style payloads should prefer cursor-based pagination (`nextCursor`, `hasMore`) over offset-only paging.
+  - response envelopes should include stable paging metadata even for empty result sets.
+
+This project currently applies the versioning baseline to JSON command outputs and documents idempotency/pagination standards for future API expansion.
+
+---
+
 ## Semver Guidance
 
 - Breaking Tier A change: `MAJOR`
diff --git a/docs/reference/settings.md b/docs/reference/settings.md
index 1466374..42689b1 100644
--- a/docs/reference/settings.md
+++ b/docs/reference/settings.md
@@ -128,6 +128,12 @@ Common operator overrides:
 - `CODEX_TUI_GLYPHS`
 - `CODEX_AUTH_FETCH_TIMEOUT_MS`
 - `CODEX_AUTH_STREAM_STALL_TIMEOUT_MS`
+- `CODEX_AUTH_ENCRYPTION_KEY`
+- `CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY`
+- `CODEX_AUTH_ROLE`
+
+Encryption key variables must be high-entropy 32-byte key material (for example,
+from a secret manager). Do not use passwords.
 
 ---
 
@@ -141,6 +147,14 @@ Maintainer/debug-focused overrides include:
 - `CODEX_CLI_ACCOUNTS_PATH`
 - `CODEX_CLI_AUTH_PATH`
 - refresh lease controls (`CODEX_AUTH_REFRESH_LEASE*`)
+- `CODEX_AUTH_BREAK_GLASS`
+- `CODEX_AUTH_ABAC_READ_ONLY`
+- `CODEX_AUTH_ABAC_DENY_ACTIONS`
+- `CODEX_AUTH_ABAC_DENY_COMMANDS`
+- `CODEX_AUTH_ABAC_REQUIRE_INTERACTIVE`
+- `CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY`
+- `CODEX_AUTH_REDACT_JSON_OUTPUT`
+- retention controls (`CODEX_AUTH_RETENTION_*`)
 
 Full inventory: [../development/CONFIG_FIELDS.md](../development/CONFIG_FIELDS.md)
 
@@ -175,4 +189,4 @@ codex auth forecast --live
 
 - [commands.md](commands.md)
 - [storage-paths.md](storage-paths.md)
-- [../configuration.md](../configuration.md)
\ No newline at end of file
+- [../configuration.md](../configuration.md)
diff --git a/docs/reference/storage-paths.md b/docs/reference/storage-paths.md
index bae76b8..ca409f8 100644
--- a/docs/reference/storage-paths.md
+++ b/docs/reference/storage-paths.md
@@ -26,6 +26,7 @@ Override root:
 | Accounts WAL | `~/.codex/multi-auth/openai-codex-accounts.json.wal` |
 | Flagged accounts | `~/.codex/multi-auth/openai-codex-flagged-accounts.json` |
 | Quota cache | `~/.codex/multi-auth/quota-cache.json` |
+| Background job DLQ | `~/.codex/multi-auth/background-job-dlq.jsonl` |
 | Logs | `~/.codex/multi-auth/logs/codex-plugin/` |
 | Cache | `~/.codex/multi-auth/cache/` |
 | Codex CLI accounts | `~/.codex/accounts.json` |
diff --git a/docs/runbooks/README.md b/docs/runbooks/README.md
new file mode 100644
index 0000000..7b7d530
--- /dev/null
+++ b/docs/runbooks/README.md
@@ -0,0 +1,12 @@
+# Runbooks
+
+Operational runbooks for `codex-multi-auth`.
+
+## Runbook Index
+
+- [operations.md](operations.md): routine operational checks, release gates, and maintenance tasks.
+- [incident-response.md](incident-response.md): severity model, containment flow, and post-incident process.
+
+## Scope
+
+These runbooks cover plugin-owned local state under `~/.codex/multi-auth` (or `CODEX_MULTI_AUTH_DIR`) and repository-level CI/security controls.
diff --git a/docs/runbooks/incident-response.md b/docs/runbooks/incident-response.md
new file mode 100644
index 0000000..230f8e2
--- /dev/null
+++ b/docs/runbooks/incident-response.md
@@ -0,0 +1,99 @@
+# Incident Response Playbook
+
+Incident response workflow for `codex-multi-auth`.
+
+---
+
+## Severity Levels
+
+- `SEV-1`: active secret exposure, auth bypass, or broad production outage.
+- `SEV-2`: major functionality degraded, high failure rate, or persistent data corruption risk.
+- `SEV-3`: contained bug with workaround, no ongoing security impact.
+
+---
+
+## Response Timeline
+
+### 1. Detect and Declare (0-15 min)
+
+1. Open an internal incident channel.
+2. Assign incident commander and communications lead.
+3. Record:
+   - first detection timestamp
+   - affected command flows
+   - impacted storage paths/environment variables
+
+### 2. Contain (15-60 min)
+
+1. For credential exposure:
+   - rotate affected OAuth/session credentials
+   - set new `CODEX_AUTH_ENCRYPTION_KEY`
+   - run `codex auth rotate-secrets --idempotency-key <incident-id>`
+2. For unauthorized command execution:
+   - downgrade role to `CODEX_AUTH_ROLE=viewer` where possible
+   - enable `CODEX_AUTH_ABAC_READ_ONLY=1` until containment is complete
+   - deny high-risk commands with `CODEX_AUTH_ABAC_DENY_COMMANDS=rotate-secrets,fix`
+   - reserve `CODEX_AUTH_BREAK_GLASS=1` for explicit emergency changes
+3. For filesystem instability:
+   - pause mutation commands (`login`, `switch`, `fix`)
+   - inspect lock files and dead-letter entries
+
+### 3. Eradicate and Recover (within 24h)
+
+1. Patch root cause and merge behind required CI checks.
+2. Validate:
+   - `npm run typecheck`
+   - `npm run lint`
+   - `npm test`
+   - `npm run audit:ci`
+3. Re-enable normal command paths and monitor audit logs.
+
+---
+
+## Communication Template
+
+Use this internal status template:
+
+```text
+Incident: <short title>
+Severity: <SEV-1|SEV-2|SEV-3>
+Start Time: <ISO-8601>
+Current Status: <investigating|contained|mitigated|resolved>
+Impact: <who/what is affected>
+Mitigation: <actions in progress>
+Next Update: <time>
+```
+
+---
+
+## Evidence Collection
+
+Capture and retain:
+
+1. `audit.log` entries for the affected window.
+2. relevant `codex-plugin` logs.
+3. dead-letter entries from `background-job-dlq.jsonl`.
+4. CI run links for failing and fixed pipelines.
+
+Do not include raw refresh/access tokens in incident artifacts.
+
+---
+
+## Post-Incident Review (within 5 business days)
+
+1. Build a timeline with concrete timestamps.
+2. Document root cause and contributing factors.
+3. Add at least one prevention control:
+   - new test
+   - CI gate
+   - runbook update
+   - config default hardening
+4. Publish remediation status and owner commitments.
+
+---
+
+## Related
+
+- [operations.md](operations.md)
+- [../../SECURITY.md](../../SECURITY.md)
+- [../troubleshooting.md](../troubleshooting.md)
diff --git a/docs/runbooks/operations.md b/docs/runbooks/operations.md
new file mode 100644
index 0000000..37d49ff
--- /dev/null
+++ b/docs/runbooks/operations.md
@@ -0,0 +1,90 @@
+# Operations Runbook
+
+Routine operations checklist for maintainers.
+
+---
+
+## Daily
+
+1. Review CI status for `main`:
+   - `CI`
+   - `CodeQL`
+   - `Secret Scan`
+   - `Supply Chain`
+2. Check recent audit and plugin logs:
+   - `~/.codex/multi-auth/logs/audit.log`
+   - `~/.codex/multi-auth/logs/codex-plugin/`
+3. Check dead-letter queue growth:
+   - `~/.codex/multi-auth/background-job-dlq.jsonl`
+
+---
+
+## Weekly
+
+1. Rotate encryption key material:
+   - set `CODEX_AUTH_ENCRYPTION_KEY` (new key)
+   - set `CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY` (prior key)
+   - run `codex auth rotate-secrets --json --idempotency-key <run-id>`
+   - prefer a stable run id source (for example `weekly-YYYYMMDD` or CI `${{ github.run_id }}`)
+   - remove previous key after successful rotation validation
+2. Review dependency and license policy reports:
+   - `npm run audit:ci`
+   - `npm run license:check`
+3. Export SBOM from workflow artifacts (`sbom-cyclonedx`) and archive with release metadata.
+
+---
+
+## Monthly
+
+1. Verify retention policy values:
+   - `CODEX_AUTH_RETENTION_LOG_DAYS`
+   - `CODEX_AUTH_RETENTION_CACHE_DAYS`
+   - `CODEX_AUTH_RETENTION_FLAGGED_DAYS`
+   - `CODEX_AUTH_RETENTION_QUOTA_CACHE_DAYS`
+   - `CODEX_AUTH_RETENTION_DLQ_DAYS`
+2. Validate RBAC defaults for deployment environments:
+   - `CODEX_AUTH_ROLE=admin|operator|viewer`
+   - `CODEX_AUTH_BREAK_GLASS=1` only for emergency windows
+3. Validate ABAC guardrails for automation and production:
+   - `CODEX_AUTH_ABAC_READ_ONLY=1` for read-only diagnostics environments
+   - `CODEX_AUTH_ABAC_REQUIRE_INTERACTIVE=accounts:write,accounts:repair` for interactive-only mutation paths
+   - `CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY=secrets:rotate` for safe retryable secret rotation
+4. Run a restore drill with exported account backups.
+
+---
+
+## Pre-Release Checklist
+
+1. `npm run typecheck`
+2. `npm run lint`
+3. `npm test`
+4. `npm run coverage`
+5. `npm run build`
+6. `npm run audit:ci`
+7. `npm run license:check`
+8. Confirm branch protection required checks remain aligned with `.github/settings.yml`.
+
+---
+
+## Failure Triage
+
+1. If auth operations fail repeatedly, inspect rate-limit diagnostics and account health:
+   - `codex auth check`
+   - `codex auth doctor --json`
+2. If writes fail under filesystem lock contention:
+   - check stale `*.lock` files under runtime root
+   - inspect DLQ entries for repeated write failures
+3. If CI secret scan fails:
+   - rotate exposed secret
+   - invalidate related tokens
+   - scrub history or revoke access based on severity
+   - document in incident report
+
+---
+
+## Related
+
+- [incident-response.md](incident-response.md)
+- [../reference/commands.md](../reference/commands.md)
+- [../privacy.md](../privacy.md)
+- [../../SECURITY.md](../../SECURITY.md)
diff --git a/index.ts b/index.ts
index 7db8808..5d5fa3e 100644
--- a/index.ts
+++ b/index.ts
@@ -99,6 +99,8 @@ import {
 	setCorrelationId,
 	clearCorrelationId,
 } from "./lib/logger.js";
+import { auditLog, AuditAction, AuditOutcome } from "./lib/audit.js";
+import { checkAuthRateLimit, recordAuthAttempt, resetAuthRateLimit } from "./lib/auth-rate-limit.js";
 import { checkAndNotify } from "./lib/auto-update-checker.js";
 import { handleContextOverflow } from "./lib/context-overflow.js";
 import {
@@ -202,6 +204,7 @@ import {
 	createHashlineReadTool,
 } from "./lib/tools/hashline-tools.js";
 import { registerCleanup } from "./lib/shutdown.js";
+import { enforceDataRetention } from "./lib/data-retention.js";
 
 /**
  * OpenAI Codex OAuth authentication plugin for Codex CLI host runtime
@@ -222,6 +225,13 @@ import { registerCleanup } from "./lib/shutdown.js";
 // eslint-disable-next-line @typescript-eslint/require-await
 export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 	initLogger(client);
+	void withAccountStorageTransaction(async (_loadedStorage, _persist) => {
+		await enforceDataRetention();
+	}).catch((error) => {
+		logWarn("Data retention cleanup failed", {
+			error: error instanceof Error ? error.message : String(error),
+		});
+	});
 	let cachedAccountManager: AccountManager | null = null;
 	let accountManagerPromise: Promise<AccountManager> | null = null;
 	let loaderMutex: Promise<void> | null = null;
@@ -259,6 +269,29 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 		return "balanced";
 	};
 
+	const exchangeAuthorizationCodeWithRateLimit = async (
+		code: string,
+		verifier: string,
+		redirectUri: string,
+	): Promise<TokenResult> => {
+		const rateLimitKey = "oauth:code-exchange";
+		try {
+			checkAuthRateLimit(rateLimitKey);
+			recordAuthAttempt(rateLimitKey);
+			const tokens = await exchangeAuthorizationCode(code, verifier, redirectUri);
+			if (tokens.type === "success") {
+				resetAuthRateLimit(rateLimitKey);
+			}
+			return tokens;
+		} catch (error) {
+			return {
+				type: "failed",
+				reason: "http_error",
+				message: error instanceof Error ? error.message : String(error),
+			};
+		}
+	};
+
 		const parseEnvInt = (value: string | undefined): number | undefined => {
 			if (value === undefined) return undefined;
 			const parsed = Number.parseInt(value, 10);
@@ -460,11 +493,11 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
                                         message: "OAuth state mismatch. Restart login and try again.",
                                 };
                         }
-                        const tokens = await exchangeAuthorizationCode(
-                                parsed.code,
-                                pkce.verifier,
-                                REDIRECT_URI,
-                        );
+						const tokens = await exchangeAuthorizationCodeWithRateLimit(
+							parsed.code,
+							pkce.verifier,
+							REDIRECT_URI,
+						);
                         if (tokens?.type === "success") {
                                 const resolved = resolveAccountSelection(tokens);
                                 if (onSuccess) {
@@ -509,7 +542,7 @@ export const OpenAIOAuthPlugin: Plugin = async ({ client }: PluginInput) => {
 			return { type: "failed" as const, reason: "unknown" as const, message: "OAuth callback timeout or cancelled" };
 		}
 
-                return await exchangeAuthorizationCode(
+                return await exchangeAuthorizationCodeWithRateLimit(
                         result.code,
                         pkce.verifier,
                         REDIRECT_URI,
@@ -1664,6 +1697,17 @@ while (attempted.size < Math.max(1, accountCount)) {
 
 							try {
 								runtimeMetrics.totalRequests++;
+								auditLog(
+									AuditAction.REQUEST_START,
+									account.email ?? `account-${account.index + 1}`,
+									url,
+									AuditOutcome.SUCCESS,
+									{
+										model,
+										accountIndex: account.index + 1,
+										modelFamily,
+									},
+								);
 								response = await fetch(url, {
 									...requestInit,
 									headers,
@@ -1688,7 +1732,29 @@ while (attempted.size < Math.max(1, accountCount)) {
 										);
 									}
 								const errorMsg = networkError instanceof Error ? networkError.message : String(networkError);
+								const safeAuditResource = (() => {
+									try {
+										const parsed = new URL(url);
+										return `${parsed.origin}${parsed.pathname}`;
+									} catch {
+										return url;
+									}
+								})();
+								const networkErrorType =
+									networkError instanceof Error ? networkError.name : "unknown_error";
 								logWarn(`Network error for account ${account.index + 1}: ${errorMsg}`);
+								auditLog(
+									AuditAction.REQUEST_FAILURE,
+									account.email ?? `account-${account.index + 1}`,
+									safeAuditResource,
+									AuditOutcome.FAILURE,
+									{
+										model,
+										accountIndex: account.index + 1,
+										errorType: networkErrorType,
+										stage: "network",
+									},
+								);
 								runtimeMetrics.failedRequests++;
 								runtimeMetrics.networkErrors++;
 								runtimeMetrics.accountRotations++;
@@ -2350,6 +2416,18 @@ while (attempted.size < Math.max(1, accountCount)) {
 							successAccountForResponse.index,
 						);
 					runtimeMetrics.successfulRequests++;
+					auditLog(
+						AuditAction.REQUEST_SUCCESS,
+						successAccountForResponse.email ?? `account-${successAccountForResponse.index + 1}`,
+						url,
+						AuditOutcome.SUCCESS,
+						{
+							model,
+							accountIndex: successAccountForResponse.index + 1,
+							latencyMs: fetchLatencyMs,
+							modelFamily,
+						},
+					);
 					runtimeMetrics.lastError = null;
 					if (lastCodexCliActiveSyncIndex !== successAccountForResponse.index) {
 						void accountManager.syncCodexCliActiveSelectionForIndex(successAccountForResponse.index);
@@ -2392,6 +2470,18 @@ while (attempted.size < Math.max(1, accountCount)) {
 											: `All ${count} account(s) failed (server errors or auth issues). Check account health with \`codex-health\`.`;
 								runtimeMetrics.failedRequests++;
 								runtimeMetrics.lastError = message;
+								auditLog(
+									AuditAction.REQUEST_FAILURE,
+									"plugin",
+									url,
+									AuditOutcome.FAILURE,
+									{
+										model,
+										accountCount: count,
+										message,
+										waitMs,
+									},
+								);
 								return new Response(JSON.stringify({ error: { message } }), {
 									status: waitMs > 0 ? 429 : 503,
 											headers: {
diff --git a/lib/accounts.ts b/lib/accounts.ts
index 40fe38d..7ea001b 100644
--- a/lib/accounts.ts
+++ b/lib/accounts.ts
@@ -23,6 +23,7 @@ import {
 } from "./codex-cli/state.js";
 import { syncAccountStorageFromCodexCli } from "./codex-cli/sync.js";
 import { setCodexCliActiveSelection } from "./codex-cli/writer.js";
+import { runBackgroundJobWithRetry } from "./background-jobs.js";
 
 export {
 	extractAccountId,
@@ -768,9 +769,25 @@ export class AccountManager {
 			const doSave = async () => {
 				try {
 					if (this.pendingSave) {
-						await this.pendingSave;
+						try {
+							await this.pendingSave;
+						} catch (error) {
+							log.warn("Previous debounced save failed", {
+								error: error instanceof Error ? error.message : String(error),
+							});
+						}
 					}
-					this.pendingSave = this.saveToDisk().finally(() => {
+					this.pendingSave = runBackgroundJobWithRetry({
+						name: "accounts.saveToDiskDebounced",
+						task: () => this.saveToDisk(),
+						context: {
+							accountCount: this.accounts.length,
+							activeIndexByFamily: { ...this.currentAccountIndexByFamily },
+						},
+						maxAttempts: 4,
+						baseDelayMs: 50,
+						maxDelayMs: 1_000,
+					}).finally(() => {
 						this.pendingSave = null;
 					});
 					await this.pendingSave;
diff --git a/lib/audit.ts b/lib/audit.ts
index 9376402..9a3bd5f 100644
--- a/lib/audit.ts
+++ b/lib/audit.ts
@@ -14,6 +14,7 @@ export enum AuditAction {
 	AUTH_LOGOUT = "auth.logout",
 	AUTH_REFRESH = "auth.refresh",
 	AUTH_FAILURE = "auth.failure",
+	AUTH_BREAK_GLASS = "auth.break_glass",
 	CONFIG_LOAD = "config.load",
 	CONFIG_CHANGE = "config.change",
 	REQUEST_START = "request.start",
diff --git a/lib/authorization.ts b/lib/authorization.ts
new file mode 100644
index 0000000..d9228aa
--- /dev/null
+++ b/lib/authorization.ts
@@ -0,0 +1,149 @@
+import { auditLog, AuditAction, AuditOutcome } from "./audit.js";
+
+export type AuthRole = "admin" | "operator" | "viewer";
+
+export type AuthAction =
+	| "accounts:read"
+	| "accounts:write"
+	| "accounts:repair"
+	| "secrets:rotate";
+
+export interface AuthorizationContext {
+	command?: string;
+	interactive?: boolean;
+	idempotencyKeyPresent?: boolean;
+}
+
+const ROLE_PERMISSIONS: Record<AuthRole, Set<AuthAction>> = {
+	admin: new Set(["accounts:read", "accounts:write", "accounts:repair", "secrets:rotate"]),
+	operator: new Set(["accounts:read", "accounts:write", "accounts:repair"]),
+	viewer: new Set(["accounts:read"]),
+};
+
+const ALL_AUTH_ACTIONS = new Set<AuthAction>([
+	"accounts:read",
+	"accounts:write",
+	"accounts:repair",
+	"secrets:rotate",
+]);
+
+function getRoleFromEnv(): AuthRole {
+	const rawEnv = process.env.CODEX_AUTH_ROLE;
+	if (rawEnv === undefined || rawEnv.trim().length === 0) {
+		return "admin";
+	}
+	const raw = rawEnv.trim().toLowerCase();
+	if (raw === "operator" || raw === "viewer" || raw === "admin") {
+		return raw;
+	}
+	return "viewer";
+}
+
+export function getAuthorizationRole(): AuthRole {
+	return getRoleFromEnv();
+}
+
+function isTruthyEnv(name: string): boolean {
+	const raw = (process.env[name] ?? "").trim().toLowerCase();
+	return raw === "1" || raw === "true" || raw === "yes" || raw === "on";
+}
+
+function parseActionSetFromEnv(name: string): Set<AuthAction> {
+	const raw = (process.env[name] ?? "").trim();
+	if (!raw) return new Set<AuthAction>();
+	const values = raw
+		.split(",")
+		.map((value) => value.trim().toLowerCase())
+		.filter((value) => value.length > 0);
+	const parsed = new Set<AuthAction>();
+	for (const value of values) {
+		if (ALL_AUTH_ACTIONS.has(value as AuthAction)) {
+			parsed.add(value as AuthAction);
+		}
+	}
+	return parsed;
+}
+
+function parseCommandSetFromEnv(name: string): Set<string> {
+	const raw = (process.env[name] ?? "").trim();
+	if (!raw) return new Set<string>();
+	return new Set(
+		raw
+			.split(",")
+			.map((value) => value.trim().toLowerCase())
+			.filter((value) => value.length > 0),
+	);
+}
+
+function evaluateAbacPolicy(
+	action: AuthAction,
+	context: AuthorizationContext,
+): string | null {
+	const readOnly = isTruthyEnv("CODEX_AUTH_ABAC_READ_ONLY");
+	if (readOnly && action !== "accounts:read") {
+		return "ABAC read-only mode denies mutating actions";
+	}
+
+	const deniedActions = parseActionSetFromEnv("CODEX_AUTH_ABAC_DENY_ACTIONS");
+	if (deniedActions.has(action)) {
+		return `ABAC policy denies action '${action}'`;
+	}
+
+	const deniedCommands = parseCommandSetFromEnv("CODEX_AUTH_ABAC_DENY_COMMANDS");
+	const command = context.command?.trim().toLowerCase();
+	if (command && deniedCommands.has(command)) {
+		return `ABAC policy denies command '${command}'`;
+	}
+
+	const interactiveActions = parseActionSetFromEnv("CODEX_AUTH_ABAC_REQUIRE_INTERACTIVE");
+	if (interactiveActions.has(action) && context.interactive !== true) {
+		return `ABAC policy requires an interactive terminal for '${action}'`;
+	}
+
+	const idempotencyActions = parseActionSetFromEnv("CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY");
+	if (idempotencyActions.has(action) && context.idempotencyKeyPresent !== true) {
+		return `ABAC policy requires idempotency key for '${action}'`;
+	}
+
+	return null;
+}
+
+export function authorizeAction(
+	action: AuthAction,
+	context: AuthorizationContext = {},
+): { allowed: boolean; role: AuthRole; reason?: string } {
+	if (process.env.CODEX_AUTH_BREAK_GLASS === "1") {
+		const role = getRoleFromEnv();
+		auditLog(
+			AuditAction.AUTH_BREAK_GLASS,
+			"system",
+			action,
+			AuditOutcome.SUCCESS,
+			{
+				role,
+				breakGlass: true,
+			},
+		);
+		return { allowed: true, role };
+	}
+
+	const role = getRoleFromEnv();
+	const abacReason = evaluateAbacPolicy(action, context);
+	if (abacReason) {
+		return {
+			allowed: false,
+			role,
+			reason: abacReason,
+		};
+	}
+
+	const permissions = ROLE_PERMISSIONS[role];
+	if (permissions.has(action)) {
+		return { allowed: true, role };
+	}
+	return {
+		allowed: false,
+		role,
+		reason: `Role '${role}' does not allow '${action}'`,
+	};
+}
diff --git a/lib/background-jobs.ts b/lib/background-jobs.ts
new file mode 100644
index 0000000..c149abc
--- /dev/null
+++ b/lib/background-jobs.ts
@@ -0,0 +1,142 @@
+import { promises as fs } from "node:fs";
+import { dirname, join } from "node:path";
+import { logWarn } from "./logger.js";
+import { getCodexMultiAuthDir } from "./runtime-paths.js";
+import { sleep } from "./utils.js";
+import { acquireFileLock } from "./file-lock.js";
+import { redactForExternalOutput } from "./data-redaction.js";
+
+const DEFAULT_MAX_ATTEMPTS = 3;
+const DEFAULT_BASE_DELAY_MS = 50;
+const DEFAULT_MAX_DELAY_MS = 500;
+
+const DLQ_PATH = join(getCodexMultiAuthDir(), "background-job-dlq.jsonl");
+const DLQ_LOCK_PATH = `${DLQ_PATH}.lock`;
+
+export interface BackgroundJobRetryOptions<T> {
+	name: string;
+	task: () => Promise<T>;
+	context?: Record<string, unknown>;
+	maxAttempts?: number;
+	baseDelayMs?: number;
+	maxDelayMs?: number;
+	retryable?: (error: unknown) => boolean;
+}
+
+export interface DeadLetterEntry {
+	version: 1;
+	timestamp: string;
+	job: string;
+	attempts: number;
+	error: string;
+	context?: Record<string, unknown>;
+}
+
+function toErrorMessage(error: unknown): string {
+	return error instanceof Error ? error.message : String(error);
+}
+
+function sanitizeErrorMessage(message: string): string {
+	return message
+		.replace(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/gi, "***REDACTED***")
+		.replace(
+			/\b(?:access|refresh|id)?_?token(?:=|:)?\s*([A-Z0-9._-]+)/gi,
+			"token=***REDACTED***",
+		)
+		.replace(/\b(Bearer)\s+[A-Z0-9._-]+\b/gi, "$1 ***REDACTED***");
+}
+
+function getDelayMs(attempt: number, baseDelayMs: number, maxDelayMs: number): number {
+	return Math.min(maxDelayMs, baseDelayMs * 2 ** Math.max(0, attempt - 1));
+}
+
+function isRetryableByDefault(error: unknown): boolean {
+	const statusCode = (error as { statusCode?: unknown } | undefined)?.statusCode;
+	if (typeof statusCode === "number" && statusCode === 429) {
+		return true;
+	}
+	const code = (error as NodeJS.ErrnoException | undefined)?.code;
+	if (typeof code === "string") {
+		return code === "EBUSY" || code === "EPERM" || code === "EAGAIN" || code === "ETIMEDOUT";
+	}
+	const candidate = error as
+		| { status?: unknown; statusCode?: unknown; response?: { status?: unknown } }
+		| undefined;
+	const status =
+		typeof candidate?.status === "number"
+			? candidate.status
+			: typeof candidate?.statusCode === "number"
+				? candidate.statusCode
+				: typeof candidate?.response?.status === "number"
+					? candidate.response.status
+					: null;
+	return status === 429;
+}
+
+async function appendDeadLetter(entry: DeadLetterEntry): Promise<void> {
+	await fs.mkdir(dirname(DLQ_PATH), { recursive: true });
+	const lock = await acquireFileLock(DLQ_LOCK_PATH, {
+		maxAttempts: 80,
+		baseDelayMs: 15,
+		maxDelayMs: 800,
+		staleAfterMs: 120_000,
+	});
+	try {
+		await fs.appendFile(DLQ_PATH, `${JSON.stringify(entry)}\n`, {
+			encoding: "utf8",
+			mode: 0o600,
+		});
+	} finally {
+		await lock.release();
+	}
+}
+
+export function getBackgroundJobDlqPath(): string {
+	return DLQ_PATH;
+}
+
+export async function runBackgroundJobWithRetry<T>(options: BackgroundJobRetryOptions<T>): Promise<T> {
+	const maxAttempts = Math.max(1, Math.floor(options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS));
+	const baseDelayMs = Math.max(1, Math.floor(options.baseDelayMs ?? DEFAULT_BASE_DELAY_MS));
+	const maxDelayMs = Math.max(baseDelayMs, Math.floor(options.maxDelayMs ?? DEFAULT_MAX_DELAY_MS));
+	const retryable = options.retryable ?? isRetryableByDefault;
+
+	let lastError: unknown;
+	for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+		try {
+			return await options.task();
+		} catch (error) {
+			lastError = error;
+			if (attempt >= maxAttempts || !retryable(error)) {
+				break;
+			}
+			await sleep(getDelayMs(attempt, baseDelayMs, maxDelayMs));
+		}
+	}
+
+	const errorMessage = sanitizeErrorMessage(toErrorMessage(lastError));
+	const deadLetter: DeadLetterEntry = {
+		version: 1,
+		timestamp: new Date().toISOString(),
+		job: options.name,
+		attempts: maxAttempts,
+		error: errorMessage,
+		...(options.context ? { context: redactForExternalOutput(options.context) } : {}),
+	};
+
+	try {
+		await appendDeadLetter(deadLetter);
+	} catch (dlqError) {
+		logWarn("Failed to append background job dead-letter", {
+			job: options.name,
+			error: sanitizeErrorMessage(toErrorMessage(dlqError)),
+		});
+	}
+
+	logWarn("Background job failed after retries", {
+		job: options.name,
+		attempts: maxAttempts,
+		error: errorMessage,
+	});
+	throw (lastError instanceof Error ? lastError : new Error(errorMessage));
+}
diff --git a/lib/codex-manager.ts b/lib/codex-manager.ts
index 794eb7c..51b9e08 100644
--- a/lib/codex-manager.ts
+++ b/lib/codex-manager.ts
@@ -56,10 +56,16 @@ import {
 	saveFlaggedAccounts,
 	saveAccounts,
 	setStoragePath,
+	rotateStoredSecretEncryption,
 	type AccountMetadataV3,
 	type AccountStorageV3,
 	type FlaggedAccountMetadataV1,
 } from "./storage.js";
+import {
+	checkAndRecordIdempotencyKey,
+	markIdempotencySucceeded,
+	clearIdempotencyOnFailure,
+} from "./idempotency.js";
 import type { AccountIdSource, TokenFailure, TokenResult } from "./types.js";
 import {
 	getCodexCliAuthPath,
@@ -73,6 +79,10 @@ import { paintUiText, quotaToneFromLeftPercent } from "./ui/format.js";
 import { getUiRuntimeOptions } from "./ui/runtime.js";
 import { select, type MenuItem } from "./ui/select.js";
 import { applyUiThemeFromDashboardSettings, configureUnifiedSettings, resolveMenuLayoutMode } from "./codex-manager/settings-hub.js";
+import { auditLog, AuditAction, AuditOutcome } from "./audit.js";
+import { checkAuthRateLimit, recordAuthAttempt, resetAuthRateLimit } from "./auth-rate-limit.js";
+import { redactForExternalOutput } from "./data-redaction.js";
+import { authorizeAction, type AuthAction, type AuthorizationContext } from "./authorization.js";
 
 type TokenSuccess = Extract<TokenResult, { type: "success" }>;
 type TokenSuccessWithAccount = TokenSuccess & {
@@ -81,6 +91,77 @@ type TokenSuccessWithAccount = TokenSuccess & {
 	accountLabel?: string;
 };
 type PromptTone = "accent" | "success" | "warning" | "danger" | "muted";
+const JSON_OUTPUT_SCHEMA_VERSION = 1 as const;
+
+function getAuditActor(): string {
+	const candidate = process.env.USER || process.env.USERNAME || "local-user";
+	return candidate.trim().length > 0 ? candidate : "local-user";
+}
+
+function emitAudit(
+	action: AuditAction,
+	outcome: AuditOutcome,
+	resource: string,
+	metadata?: Record<string, unknown>,
+): void {
+	auditLog(action, getAuditActor(), resource, outcome, metadata);
+}
+
+function buildRefreshRateLimitKey(
+	refreshToken: string,
+	accountId?: string,
+	email?: string,
+): string {
+	if (accountId && accountId.trim().length > 0) {
+		return `refresh:${accountId.trim().toLowerCase()}`;
+	}
+	if (email && email.trim().length > 0) {
+		return `refresh:${email.trim().toLowerCase()}`;
+	}
+	const suffix = refreshToken.slice(-12).toLowerCase();
+	return `refresh:${suffix}`;
+}
+
+async function queuedRefreshWithAuthRateLimit(
+	refreshToken: string,
+	context: { accountId?: string; email?: string },
+): Promise<TokenResult> {
+	const rateLimitKey = buildRefreshRateLimitKey(refreshToken, context.accountId, context.email);
+	checkAuthRateLimit(rateLimitKey);
+	recordAuthAttempt(rateLimitKey);
+	const result = await queuedRefresh(refreshToken);
+	if (result.type === "success") {
+		resetAuthRateLimit(rateLimitKey);
+	}
+	return result;
+}
+
+function maybeRedactJsonOutput<T>(value: T): T {
+	const shouldRedact = process.env.CODEX_AUTH_REDACT_JSON_OUTPUT === "1";
+	return shouldRedact ? redactForExternalOutput(value) : value;
+}
+
+function hasOptionFlag(args: readonly string[], flag: string): boolean {
+	for (let index = 0; index < args.length; index += 1) {
+		const arg = args[index];
+		if (arg === flag) {
+			const next = args[index + 1];
+			return typeof next === "string" && next.trim().length > 0;
+		}
+		if (arg?.startsWith(`${flag}=`)) {
+			const value = arg.slice(flag.length + 1).trim();
+			return value.length > 0;
+		}
+	}
+	return false;
+}
+
+function ensureAuthorized(action: AuthAction, context: AuthorizationContext = {}): boolean {
+	const auth = authorizeAction(action, context);
+	if (auth.allowed) return true;
+	console.error(`Authorization denied: ${auth.reason}`);
+	return false;
+}
 
 function stylePromptText(text: string, tone: PromptTone): string {
 	if (!output.isTTY) return text;
@@ -287,8 +368,8 @@ function printUsage(): void {
 			"",
 			"Usage:",
 			"  codex auth login",
-			"  codex auth list",
-			"  codex auth status",
+			"  codex auth list [--json] [--page-size <n>] [--cursor <cursor>]",
+			"  codex auth status [--json] [--page-size <n>] [--cursor <cursor>]",
 			"  codex auth switch <index>",
 			"  codex auth check",
 			"  codex auth features",
@@ -297,6 +378,7 @@ function printUsage(): void {
 			"  codex auth report [--live] [--json] [--model <model>] [--out <path>]",
 			"  codex auth fix [--dry-run] [--json] [--live] [--model <model>]",
 			"  codex auth doctor [--json] [--fix] [--dry-run]",
+			"  codex auth rotate-secrets [--json] [--idempotency-key <key>]",
 			"",
 			"Notes:",
 			"  - Uses ~/.codex/multi-auth/openai-codex-accounts.json",
@@ -1245,13 +1327,32 @@ async function runOAuthFlow(forceNewLogin: boolean): Promise<TokenResult> {
 	}
 
 	if (!code) {
+		emitAudit(AuditAction.AUTH_LOGIN, AuditOutcome.FAILURE, "oauth", {
+			reason: "cancelled",
+			forceNewLogin,
+		});
 		return {
 			type: "failed",
 			reason: "unknown",
 			message: UI_COPY.oauth.cancelled,
 		};
 	}
-	return exchangeAuthorizationCode(code, pkce.verifier, REDIRECT_URI);
+	const authRateLimitKey = "oauth:login";
+	checkAuthRateLimit(authRateLimitKey);
+	recordAuthAttempt(authRateLimitKey);
+	const tokenResult = await exchangeAuthorizationCode(code, pkce.verifier, REDIRECT_URI);
+	if (tokenResult.type === "success") {
+		resetAuthRateLimit(authRateLimitKey);
+		emitAudit(AuditAction.AUTH_LOGIN, AuditOutcome.SUCCESS, "oauth", {
+			forceNewLogin,
+		});
+	} else {
+		emitAudit(AuditAction.AUTH_FAILURE, AuditOutcome.FAILURE, "oauth", {
+			reason: tokenResult.reason,
+			message: tokenResult.message,
+		});
+	}
+	return tokenResult;
 }
 
 async function persistAccountPool(
@@ -1383,6 +1484,17 @@ async function persistAccountPool(
 		activeIndex: nextActiveIndex,
 		activeIndexByFamily,
 	});
+	emitAudit(
+		AuditAction.ACCOUNT_ADD,
+		AuditOutcome.SUCCESS,
+		"account-pool",
+		{
+			replaceAll,
+			updatedAccounts: results.length,
+			totalAccounts: accounts.length,
+			activeIndex: nextActiveIndex + 1,
+		},
+	);
 }
 
 async function syncSelectionToCodex(tokens: TokenSuccessWithAccount): Promise<void> {
@@ -1403,18 +1515,116 @@ async function syncSelectionToCodex(tokens: TokenSuccessWithAccount): Promise<vo
 	});
 }
 
-async function showAccountStatus(): Promise<void> {
+function encodePaginationCursor(index: number): string {
+	return Buffer.from(String(index), "utf8").toString("base64");
+}
+
+function decodePaginationCursor(cursor: string): number | null {
+	try {
+		const decoded = Buffer.from(cursor, "base64").toString("utf8");
+		if (!/^\d+$/.test(decoded)) return null;
+		const parsed = Number.parseInt(decoded, 10);
+		if (!Number.isFinite(parsed) || parsed < 0) return null;
+		return parsed;
+	} catch {
+		return null;
+	}
+}
+
+async function showAccountStatus(args: string[] = []): Promise<number> {
+	const parsed = parseListArgs(args);
+	if (!parsed.ok) {
+		console.error(parsed.message);
+		return 1;
+	}
+	const options = parsed.options;
 	setStoragePath(null);
 	const storage = await loadAccounts();
 	const path = getStoragePath();
 	if (!storage || storage.accounts.length === 0) {
-		console.log("No accounts configured.");
-		console.log(`Storage: ${path}`);
-		return;
+		if (options.json) {
+			console.log(
+				JSON.stringify(
+					maybeRedactJsonOutput({
+						command: "list",
+						schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
+						total: 0,
+						storagePath: path,
+						pagination: {
+							pageSize: options.pageSize,
+							cursor: options.cursor ?? null,
+							nextCursor: null,
+							hasMore: false,
+						},
+						accounts: [],
+					}),
+					null,
+					2,
+				),
+			);
+		} else {
+			console.log("No accounts configured.");
+			console.log(`Storage: ${path}`);
+		}
+		return 0;
 	}
 
 	const now = Date.now();
 	const activeIndex = resolveActiveIndex(storage, "codex");
+	if (options.json) {
+		const startIndex = options.cursor ? decodePaginationCursor(options.cursor) : 0;
+		if (startIndex === null || startIndex > storage.accounts.length) {
+			console.error("Invalid --cursor value");
+			return 1;
+		}
+		const page = storage.accounts
+			.slice(startIndex, startIndex + options.pageSize)
+			.map((account, offset) => {
+				const index = startIndex + offset;
+				const label = formatAccountLabel(account, index);
+				const rateLimit = formatRateLimitEntry(account, now, "codex");
+				const cooldown = formatCooldown(account, now);
+				const markers: string[] = [];
+				if (index === activeIndex) markers.push("current");
+				if (account.enabled === false) markers.push("disabled");
+				if (rateLimit) markers.push("rate-limited");
+				if (cooldown) markers.push(`cooldown:${cooldown}`);
+				return {
+					index: index + 1,
+					email: account.email ?? null,
+					accountId: account.accountId ?? null,
+					label,
+					enabled: account.enabled !== false,
+					current: index === activeIndex,
+					markers,
+					lastUsedAtMs: typeof account.lastUsed === "number" ? account.lastUsed : null,
+				};
+			});
+		const nextIndex = startIndex + page.length;
+		const hasMore = nextIndex < storage.accounts.length;
+		const nextCursor = hasMore ? encodePaginationCursor(nextIndex) : null;
+		console.log(
+			JSON.stringify(
+				maybeRedactJsonOutput({
+					command: "list",
+					schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
+					total: storage.accounts.length,
+					storagePath: path,
+					pagination: {
+						pageSize: options.pageSize,
+						cursor: options.cursor ?? null,
+						nextCursor,
+						hasMore,
+					},
+					accounts: page,
+				}),
+				null,
+				2,
+			),
+		);
+		return 0;
+	}
+
 	console.log(`Accounts (${storage.accounts.length})`);
 	console.log(`Storage: ${path}`);
 	console.log("");
@@ -1435,6 +1645,7 @@ async function showAccountStatus(): Promise<void> {
 			: "never used";
 		console.log(`${i + 1}. ${label}${markerLabel} ${lastUsed}`);
 	}
+	return 0;
 }
 
 interface HealthCheckOptions {
@@ -1527,7 +1738,10 @@ async function runHealthCheck(options: HealthCheckOptions = {}): Promise<void> {
 			}
 			continue;
 		}
-		const result = await queuedRefresh(account.refreshToken);
+		const result = await queuedRefreshWithAuthRateLimit(account.refreshToken, {
+			accountId: account.accountId,
+			email: account.email,
+		});
 		if (result.type === "success") {
 			const tokenAccountId = extractAccountId(result.access);
 			const nextEmail = sanitizeEmail(extractAccountEmail(result.access, result.idToken));
@@ -1672,6 +1886,17 @@ interface VerifyFlaggedCliOptions {
 	restore: boolean;
 }
 
+interface ListCliOptions {
+	json: boolean;
+	pageSize: number;
+	cursor?: string;
+}
+
+interface RotateSecretsCliOptions {
+	json: boolean;
+	idempotencyKey?: string;
+}
+
 type ParsedArgsResult<T> = { ok: true; options: T } | { ok: false; message: string };
 
 function printForecastUsage(): void {
@@ -1726,6 +1951,64 @@ function printVerifyFlaggedUsage(): void {
 	);
 }
 
+function parseListArgs(args: string[]): ParsedArgsResult<ListCliOptions> {
+	const options: ListCliOptions = {
+		json: false,
+		pageSize: 20,
+	};
+
+	for (let i = 0; i < args.length; i += 1) {
+		const arg = args[i];
+		if (!arg) continue;
+		if (arg === "--json" || arg === "-j") {
+			options.json = true;
+			continue;
+		}
+		if (arg === "--page-size") {
+			const value = args[i + 1];
+			if (!value) {
+				return { ok: false, message: "Missing value for --page-size" };
+			}
+			const parsed = Number.parseInt(value, 10);
+			if (!Number.isFinite(parsed) || parsed < 1 || parsed > 200) {
+				return { ok: false, message: "--page-size must be between 1 and 200" };
+			}
+			options.pageSize = parsed;
+			i += 1;
+			continue;
+		}
+		if (arg.startsWith("--page-size=")) {
+			const value = arg.slice("--page-size=".length).trim();
+			const parsed = Number.parseInt(value, 10);
+			if (!Number.isFinite(parsed) || parsed < 1 || parsed > 200) {
+				return { ok: false, message: "--page-size must be between 1 and 200" };
+			}
+			options.pageSize = parsed;
+			continue;
+		}
+		if (arg === "--cursor") {
+			const value = args[i + 1];
+			if (!value || value.trim().length === 0) {
+				return { ok: false, message: "Missing value for --cursor" };
+			}
+			options.cursor = value.trim();
+			i += 1;
+			continue;
+		}
+		if (arg.startsWith("--cursor=")) {
+			const value = arg.slice("--cursor=".length).trim();
+			if (value.length === 0) {
+				return { ok: false, message: "Missing value for --cursor" };
+			}
+			options.cursor = value;
+			continue;
+		}
+		return { ok: false, message: `Unknown option: ${arg}` };
+	}
+
+	return { ok: true, options };
+}
+
 function parseForecastArgs(args: string[]): ParsedArgsResult<ForecastCliOptions> {
 	const options: ForecastCliOptions = {
 		live: false,
@@ -1888,6 +2171,37 @@ function parseDoctorArgs(args: string[]): ParsedArgsResult<DoctorCliOptions> {
 	return { ok: true, options };
 }
 
+function parseRotateSecretsArgs(args: string[]): ParsedArgsResult<RotateSecretsCliOptions> {
+	const options: RotateSecretsCliOptions = { json: false };
+	for (let i = 0; i < args.length; i += 1) {
+		const arg = args[i];
+		if (!arg) continue;
+		if (arg === "--json" || arg === "-j") {
+			options.json = true;
+			continue;
+		}
+		if (arg === "--idempotency-key") {
+			const value = args[i + 1];
+			if (!value || value.trim().length === 0) {
+				return { ok: false, message: "Missing value for --idempotency-key" };
+			}
+			options.idempotencyKey = value.trim();
+			i += 1;
+			continue;
+		}
+		if (arg.startsWith("--idempotency-key=")) {
+			const value = arg.slice("--idempotency-key=".length).trim();
+			if (value.length === 0) {
+				return { ok: false, message: "Missing value for --idempotency-key" };
+			}
+			options.idempotencyKey = value;
+			continue;
+		}
+		return { ok: false, message: `Unknown option: ${arg}` };
+	}
+	return { ok: true, options };
+}
+
 function printReportUsage(): void {
 	console.log(
 		[
@@ -2046,7 +2360,10 @@ async function runForecast(args: string[]): Promise<number> {
 		let probeAccessToken = account.accessToken;
 		let probeAccountId = account.accountId ?? extractAccountId(account.accessToken);
 		if (!hasUsableAccessToken(account, now)) {
-			const refreshResult = await queuedRefresh(account.refreshToken);
+			const refreshResult = await queuedRefreshWithAuthRateLimit(account.refreshToken, {
+				accountId: account.accountId,
+				email: account.email,
+			});
 			if (refreshResult.type !== "success") {
 				refreshFailures.set(i, {
 					...refreshResult,
@@ -2104,15 +2421,16 @@ async function runForecast(args: string[]): Promise<number> {
 		}
 		console.log(
 			JSON.stringify(
-				{
+				maybeRedactJsonOutput({
 					command: "forecast",
+					schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
 					model: options.model,
 					liveProbe: options.live,
 					summary,
 					recommendation,
 					probeErrors,
 					accounts: serializeForecastResults(forecastResults, liveQuotaByIndex, refreshFailures),
-				},
+				}),
 				null,
 				2,
 			),
@@ -2224,7 +2542,10 @@ async function runReport(args: string[]): Promise<number> {
 			const account = storage.accounts[i];
 			if (!account || account.enabled === false) continue;
 
-			const refreshResult = await queuedRefresh(account.refreshToken);
+			const refreshResult = await queuedRefreshWithAuthRateLimit(account.refreshToken, {
+				accountId: account.accountId,
+				email: account.email,
+			});
 			if (refreshResult.type !== "success") {
 				refreshFailures.set(i, {
 					...refreshResult,
@@ -2286,6 +2607,7 @@ async function runReport(args: string[]): Promise<number> {
 
 	const report = {
 		command: "report",
+		schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
 		generatedAt: new Date(now).toISOString(),
 		storagePath,
 		model: options.model,
@@ -2305,15 +2627,16 @@ async function runReport(args: string[]): Promise<number> {
 			accounts: serializeForecastResults(forecastResults, liveQuotaByIndex, refreshFailures),
 		},
 	};
+	const safeReport = maybeRedactJsonOutput(report);
 
 	if (options.outPath) {
 		const outputPath = resolve(process.cwd(), options.outPath);
 		await fs.mkdir(dirname(outputPath), { recursive: true });
-		await fs.writeFile(outputPath, `${JSON.stringify(report, null, 2)}\n`, "utf-8");
+		await fs.writeFile(outputPath, `${JSON.stringify(safeReport, null, 2)}\n`, "utf-8");
 	}
 
 	if (options.json) {
-		console.log(JSON.stringify(report, null, 2));
+		console.log(JSON.stringify(safeReport, null, 2));
 		return 0;
 	}
 
@@ -2537,8 +2860,9 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 		if (options.json) {
 			console.log(
 				JSON.stringify(
-					{
+					maybeRedactJsonOutput({
 						command: "verify-flagged",
+						schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
 						total: 0,
 						restored: 0,
 						healthyFlagged: 0,
@@ -2547,7 +2871,7 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 						dryRun: options.dryRun,
 						restore: options.restore,
 						reports: [] as VerifyFlaggedReport[],
-					},
+					}),
 					null,
 					2,
 				),
@@ -2572,7 +2896,10 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 		const flagged = flaggedStorage.accounts[i];
 		if (!flagged) continue;
 		const label = formatAccountLabel(flagged, i);
-		const result = await queuedRefresh(flagged.refreshToken);
+		const result = await queuedRefreshWithAuthRateLimit(flagged.refreshToken, {
+			accountId: flagged.accountId,
+			email: flagged.email,
+		});
 
 		if (result.type === "success") {
 			if (!options.restore) {
@@ -2671,13 +2998,21 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 				accounts: nextFlaggedAccounts,
 			});
 		}
+		if (changed) {
+			emitAudit(AuditAction.CONFIG_CHANGE, AuditOutcome.SUCCESS, "verify-flagged", {
+				restored,
+				stillFlagged,
+				remainingFlagged,
+			});
+		}
 	}
 
 	if (options.json) {
 		console.log(
 			JSON.stringify(
-				{
+				maybeRedactJsonOutput({
 					command: "verify-flagged",
+					schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
 					total: flaggedStorage.accounts.length,
 					restored,
 					healthyFlagged,
@@ -2687,7 +3022,7 @@ async function runVerifyFlagged(args: string[]): Promise<number> {
 					dryRun: options.dryRun,
 					restore: options.restore,
 					reports,
-				},
+				}),
 				null,
 				2,
 			),
@@ -2834,7 +3169,10 @@ async function runFix(args: string[]): Promise<number> {
 			continue;
 		}
 
-		const refreshResult = await queuedRefresh(account.refreshToken);
+		const refreshResult = await queuedRefreshWithAuthRateLimit(account.refreshToken, {
+			accountId: account.accountId,
+			email: account.email,
+		});
 		if (refreshResult.type === "success") {
 			const nextEmail = sanitizeEmail(extractAccountEmail(refreshResult.access, refreshResult.idToken));
 			const nextAccountId = extractAccountId(refreshResult.access);
@@ -2972,6 +3310,11 @@ async function runFix(args: string[]): Promise<number> {
 
 	if (changed && !options.dryRun) {
 		await saveAccounts(storage);
+		emitAudit(AuditAction.CONFIG_CHANGE, AuditOutcome.SUCCESS, "auto-fix", {
+			changedAccounts: reports.length,
+			disabledCount: reportSummary.disabled,
+			warnings: reportSummary.warnings,
+		});
 	}
 
 	if (options.json) {
@@ -2980,8 +3323,9 @@ async function runFix(args: string[]): Promise<number> {
 		}
 		console.log(
 			JSON.stringify(
-				{
+				maybeRedactJsonOutput({
 					command: "fix",
+					schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
 					dryRun: options.dryRun,
 					liveProbe: options.live,
 					model: options.model,
@@ -2994,7 +3338,7 @@ async function runFix(args: string[]): Promise<number> {
 							? `codex auth switch ${recommendation.recommendedIndex + 1}`
 							: null,
 					reports,
-				},
+				}),
 				null,
 				2,
 			),
@@ -3520,7 +3864,10 @@ async function runDoctor(args: string[]): Promise<number> {
 							message: `Prepared active-account token refresh for account ${activeIndex + 1} (dry-run)`,
 						});
 					} else {
-						const refreshResult = await queuedRefresh(activeAccount.refreshToken);
+						const refreshResult = await queuedRefreshWithAuthRateLimit(activeAccount.refreshToken, {
+							accountId: activeAccount.accountId,
+							email: activeAccount.email,
+						});
 						if (refreshResult.type === "success") {
 							const refreshedEmail = sanitizeEmail(
 								extractAccountEmail(refreshResult.access, refreshResult.idToken),
@@ -3601,11 +3948,19 @@ async function runDoctor(args: string[]): Promise<number> {
 		{ ok: 0, warn: 0, error: 0 },
 	);
 
+	if (options.fix && fixChanged && !options.dryRun) {
+		emitAudit(AuditAction.CONFIG_CHANGE, AuditOutcome.SUCCESS, "doctor-fix", {
+			actionCount: fixActions.length,
+			summary,
+		});
+	}
+
 	if (options.json) {
 		console.log(
 			JSON.stringify(
-				{
+				maybeRedactJsonOutput({
 					command: "doctor",
+					schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
 					storagePath,
 					summary,
 					checks,
@@ -3615,7 +3970,7 @@ async function runDoctor(args: string[]): Promise<number> {
 						changed: fixChanged,
 						actions: fixActions,
 					},
-				},
+				}),
 				null,
 				2,
 			),
@@ -3649,6 +4004,127 @@ async function runDoctor(args: string[]): Promise<number> {
 	return summary.error > 0 ? 1 : 0;
 }
 
+async function runRotateSecrets(args: string[]): Promise<number> {
+	if (args.includes("--help") || args.includes("-h")) {
+		console.log([
+			"Usage: codex auth rotate-secrets [--json] [--idempotency-key <key>]",
+			"",
+			"Re-encrypts stored account and flagged-account secrets using CODEX_AUTH_ENCRYPTION_KEY.",
+			"Optional fallback key can be provided with CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY.",
+			"Use --idempotency-key to make retries safe for automation.",
+		].join("\n"));
+		return 0;
+	}
+
+	const parsed = parseRotateSecretsArgs(args);
+	if (!parsed.ok) {
+		console.error(parsed.message);
+		return 1;
+	}
+	const { json: asJson, idempotencyKey } = parsed.options;
+	let shouldClearPendingIdempotency = false;
+	try {
+		if (idempotencyKey) {
+			const idempotency = await checkAndRecordIdempotencyKey(
+				"codex.auth.rotate-secrets",
+				idempotencyKey,
+			);
+			if (idempotency.replayed) {
+				if (asJson) {
+					console.log(
+						JSON.stringify(
+							maybeRedactJsonOutput({
+								command: "rotate-secrets",
+								schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
+								rotated: true,
+								replayed: true,
+								accounts: 0,
+								flaggedAccounts: 0,
+								idempotencyKey,
+							}),
+							null,
+							2,
+						),
+					);
+				} else {
+					console.log("Idempotent replay detected; skipping duplicate rotate-secrets execution.");
+				}
+				emitAudit(AuditAction.CONFIG_CHANGE, AuditOutcome.PARTIAL, "rotate-secrets", {
+					replayed: true,
+					idempotencyKey,
+				});
+				return 0;
+			}
+			shouldClearPendingIdempotency = true;
+		}
+
+		const result = await rotateStoredSecretEncryption();
+		if (idempotencyKey) {
+			await markIdempotencySucceeded("codex.auth.rotate-secrets", idempotencyKey);
+			shouldClearPendingIdempotency = false;
+		}
+		emitAudit(AuditAction.CONFIG_CHANGE, AuditOutcome.SUCCESS, "rotate-secrets", {
+			accounts: result.accounts,
+			flaggedAccounts: result.flaggedAccounts,
+			...(idempotencyKey ? { idempotencyKey } : {}),
+		});
+		if (asJson) {
+			console.log(
+				JSON.stringify(
+					maybeRedactJsonOutput({
+						command: "rotate-secrets",
+						schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
+						rotated: true,
+						accounts: result.accounts,
+						flaggedAccounts: result.flaggedAccounts,
+						replayed: false,
+						...(idempotencyKey ? { idempotencyKey } : {}),
+					}),
+					null,
+					2,
+				),
+			);
+			return 0;
+		}
+		console.log(
+			`Re-encrypted ${result.accounts} account(s) and ${result.flaggedAccounts} flagged account(s).`,
+		);
+		return 0;
+	} catch (error) {
+		const message = error instanceof Error ? error.message : String(error);
+		if (idempotencyKey && shouldClearPendingIdempotency) {
+			try {
+				await clearIdempotencyOnFailure("codex.auth.rotate-secrets", idempotencyKey);
+			} catch {
+				// Best-effort cleanup: do not mask the original rotate failure.
+			}
+		}
+		emitAudit(AuditAction.CONFIG_CHANGE, AuditOutcome.FAILURE, "rotate-secrets", {
+			error: message,
+			...(idempotencyKey ? { idempotencyKey } : {}),
+		});
+		if (asJson) {
+			console.log(
+				JSON.stringify(
+					maybeRedactJsonOutput({
+						command: "rotate-secrets",
+						schemaVersion: JSON_OUTPUT_SCHEMA_VERSION,
+						rotated: false,
+						replayed: false,
+						error: message,
+						...(idempotencyKey ? { idempotencyKey } : {}),
+					}),
+					null,
+					2,
+				),
+			);
+			return 1;
+		}
+		console.error(`Failed to rotate stored secrets: ${message}`);
+		return 1;
+	}
+}
+
 async function clearAccountsAndReset(): Promise<void> {
 	await saveAccounts({
 		version: 3,
@@ -3872,11 +4348,18 @@ async function runSwitch(args: string[]): Promise<number> {
 	const indexArg = args[0];
 	if (!indexArg) {
 		console.error("Missing index. Usage: codex auth switch <index>");
+		emitAudit(AuditAction.ACCOUNT_SWITCH, AuditOutcome.FAILURE, "account-switch", {
+			reason: "missing-index",
+		});
 		return 1;
 	}
 	const parsed = Number.parseInt(indexArg, 10);
 	if (!Number.isFinite(parsed) || parsed < 1) {
 		console.error(`Invalid index: ${indexArg}`);
+		emitAudit(AuditAction.ACCOUNT_SWITCH, AuditOutcome.FAILURE, "account-switch", {
+			reason: "invalid-index",
+			indexArg,
+		});
 		return 1;
 	}
 	const targetIndex = parsed - 1;
@@ -3884,16 +4367,27 @@ async function runSwitch(args: string[]): Promise<number> {
 	const storage = await loadAccounts();
 	if (!storage || storage.accounts.length === 0) {
 		console.error("No accounts configured.");
+		emitAudit(AuditAction.ACCOUNT_SWITCH, AuditOutcome.FAILURE, "account-switch", {
+			reason: "no-accounts",
+		});
 		return 1;
 	}
 	if (targetIndex < 0 || targetIndex >= storage.accounts.length) {
 		console.error(`Index out of range. Valid range: 1-${storage.accounts.length}`);
+		emitAudit(AuditAction.ACCOUNT_SWITCH, AuditOutcome.FAILURE, "account-switch", {
+			reason: "out-of-range",
+			targetIndex: parsed,
+		});
 		return 1;
 	}
 
 	const account = storage.accounts[targetIndex];
 	if (!account) {
 		console.error(`Account ${parsed} not found.`);
+		emitAudit(AuditAction.ACCOUNT_SWITCH, AuditOutcome.FAILURE, "account-switch", {
+			reason: "account-missing",
+			targetIndex: parsed,
+		});
 		return 1;
 	}
 
@@ -3913,7 +4407,10 @@ async function runSwitch(args: string[]): Promise<number> {
 	let syncIdToken: string | undefined;
 
 	if (!hasUsableAccessToken(account, switchNow)) {
-		const refreshResult = await queuedRefresh(account.refreshToken);
+		const refreshResult = await queuedRefreshWithAuthRateLimit(account.refreshToken, {
+			accountId: account.accountId,
+			email: account.email,
+		});
 		if (refreshResult.type === "success") {
 			const tokenAccountId = extractAccountId(refreshResult.access);
 			const nextEmail = sanitizeEmail(extractAccountEmail(refreshResult.access, refreshResult.idToken));
@@ -3965,6 +4462,10 @@ async function runSwitch(args: string[]): Promise<number> {
 	console.log(
 		`Switched to account ${parsed}: ${formatAccountLabel(account, targetIndex)}${wasDisabled ? " (re-enabled)" : ""}`,
 	);
+	emitAudit(AuditAction.ACCOUNT_SWITCH, AuditOutcome.SUCCESS, "account-switch", {
+		targetIndex: parsed,
+		wasDisabled,
+	});
 	return 0;
 }
 
@@ -3993,7 +4494,10 @@ export async function autoSyncActiveAccountToCodex(): Promise<boolean> {
 	let changed = false;
 
 	if (!hasUsableAccessToken(account, now)) {
-		const refreshResult = await queuedRefresh(account.refreshToken);
+		const refreshResult = await queuedRefreshWithAuthRateLimit(account.refreshToken, {
+			accountId: account.accountId,
+			email: account.email,
+		});
 		if (refreshResult.type === "success") {
 			const tokenAccountId = extractAccountId(refreshResult.access);
 			const nextEmail = sanitizeEmail(extractAccountEmail(refreshResult.access, refreshResult.idToken));
@@ -4065,37 +4569,57 @@ export async function runCodexMultiAuthCli(rawArgs: string[]): Promise<number> {
 		return 0;
 	}
 	if (command === "login") {
+		if (!ensureAuthorized("accounts:write", { command, interactive: output.isTTY })) return 1;
 		return runAuthLogin();
 	}
 	if (command === "list" || command === "status") {
-		await showAccountStatus();
-		return 0;
+		if (!ensureAuthorized("accounts:read", { command, interactive: output.isTTY })) return 1;
+		return showAccountStatus(rest);
 	}
 	if (command === "switch") {
+		if (!ensureAuthorized("accounts:write", { command, interactive: output.isTTY })) return 1;
 		return runSwitch(rest);
 	}
 	if (command === "check") {
+		if (!ensureAuthorized("accounts:read", { command, interactive: output.isTTY })) return 1;
 		await runHealthCheck({ liveProbe: true });
 		return 0;
 	}
 	if (command === "features") {
+		if (!ensureAuthorized("accounts:read", { command, interactive: output.isTTY })) return 1;
 		return runFeaturesReport();
 	}
 	if (command === "verify-flagged") {
+		if (!ensureAuthorized("accounts:repair", { command, interactive: output.isTTY })) return 1;
 		return runVerifyFlagged(rest);
 	}
 	if (command === "forecast") {
+		if (!ensureAuthorized("accounts:read", { command, interactive: output.isTTY })) return 1;
 		return runForecast(rest);
 	}
 	if (command === "report") {
+		if (!ensureAuthorized("accounts:read", { command, interactive: output.isTTY })) return 1;
 		return runReport(rest);
 	}
 	if (command === "fix") {
+		if (!ensureAuthorized("accounts:repair", { command, interactive: output.isTTY })) return 1;
 		return runFix(rest);
 	}
 	if (command === "doctor") {
+		if (!ensureAuthorized("accounts:read", { command, interactive: output.isTTY })) return 1;
+		if (rest.includes("--fix") && !ensureAuthorized("accounts:repair", { command, interactive: output.isTTY })) return 1;
 		return runDoctor(rest);
 	}
+	if (command === "rotate-secrets") {
+		if (!ensureAuthorized("secrets:rotate", {
+			command,
+			interactive: output.isTTY,
+			idempotencyKeyPresent: hasOptionFlag(rest, "--idempotency-key"),
+		})) {
+			return 1;
+		}
+		return runRotateSecrets(rest);
+	}
 
 	console.error(`Unknown command: ${command}`);
 	printUsage();
diff --git a/lib/data-redaction.ts b/lib/data-redaction.ts
new file mode 100644
index 0000000..97f8e86
--- /dev/null
+++ b/lib/data-redaction.ts
@@ -0,0 +1,77 @@
+const DEFAULT_REDACT_KEYS = new Set([
+	"token",
+	"access",
+	"accessToken",
+	"refresh",
+	"refreshToken",
+	"idToken",
+	"secret",
+	"password",
+	"authorization",
+	"apiKey",
+	"credential",
+	"email",
+	"accountId",
+]);
+
+function isObjectRecord(value: unknown): value is Record<string, unknown> {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+
+function shouldRedactKey(key: string): boolean {
+	const normalized = key.replace(/[_-]/g, "").toLowerCase();
+	for (const candidate of DEFAULT_REDACT_KEYS) {
+		if (normalized.includes(candidate.replace(/[_-]/g, "").toLowerCase())) {
+			return true;
+		}
+	}
+	return false;
+}
+
+function shouldRedactStringValue(value: string): boolean {
+	if (value.includes("@")) {
+		return true;
+	}
+	const normalized = value.toLowerCase();
+	return (
+		normalized.includes("token=") ||
+		normalized.includes("access_token") ||
+		normalized.includes("refresh_token") ||
+		normalized.includes("authorization:") ||
+		normalized.includes("api_key") ||
+		normalized.includes("secret")
+	);
+}
+
+export function redactForExternalOutput<T>(value: T): T {
+	const seen = new WeakSet<object>();
+	const visit = (node: unknown): unknown => {
+		if (typeof node === "string") {
+			return shouldRedactStringValue(node) ? "***REDACTED***" : node;
+		}
+		if (Array.isArray(node)) {
+			if (seen.has(node)) {
+				return "[Circular]";
+			}
+			seen.add(node);
+			return node.map((item) => visit(item));
+		}
+		if (!isObjectRecord(node)) {
+			return node;
+		}
+		if (seen.has(node)) {
+			return "[Circular]";
+		}
+		seen.add(node);
+		const next: Record<string, unknown> = {};
+		for (const [key, child] of Object.entries(node)) {
+			if (shouldRedactKey(key)) {
+				next[key] = "***REDACTED***";
+				continue;
+			}
+			next[key] = visit(child);
+		}
+		return next;
+	};
+	return visit(value) as T;
+}
diff --git a/lib/data-retention.ts b/lib/data-retention.ts
new file mode 100644
index 0000000..8b7ae4e
--- /dev/null
+++ b/lib/data-retention.ts
@@ -0,0 +1,146 @@
+import { promises as fs, type Dirent } from "node:fs";
+import { join } from "node:path";
+import { getCodexCacheDir, getCodexLogDir, getCodexMultiAuthDir } from "./runtime-paths.js";
+import { sleep } from "./utils.js";
+
+export interface RetentionPolicy {
+	logDays: number;
+	cacheDays: number;
+	flaggedDays: number;
+	quotaCacheDays: number;
+	dlqDays: number;
+}
+
+const DEFAULT_POLICY: RetentionPolicy = {
+	logDays: 14,
+	cacheDays: 30,
+	flaggedDays: 30,
+	quotaCacheDays: 14,
+	dlqDays: 30,
+};
+const RETRYABLE_RETENTION_CODES = new Set(["EBUSY", "EPERM", "EACCES", "EAGAIN"]);
+
+function isRetryableRetentionError(error: unknown): boolean {
+	const code = (error as NodeJS.ErrnoException).code;
+	return typeof code === "string" && RETRYABLE_RETENTION_CODES.has(code);
+}
+
+async function withRetentionIoRetry<T>(operation: () => Promise<T>): Promise<T> {
+	for (let attempt = 0; attempt < 5; attempt += 1) {
+		try {
+			return await operation();
+		} catch (error) {
+			if (!isRetryableRetentionError(error) || attempt >= 4) {
+				throw error;
+			}
+			await sleep(10 * 2 ** attempt);
+		}
+	}
+	throw new Error("Unreachable retention retry state");
+}
+
+function parseEnvDays(name: string, fallback: number): number {
+	const raw = process.env[name];
+	if (!raw) return fallback;
+	const parsed = Number.parseInt(raw, 10);
+	if (!Number.isFinite(parsed)) return fallback;
+	return Math.max(1, parsed);
+}
+
+export function getRetentionPolicyFromEnv(): RetentionPolicy {
+	return {
+		logDays: parseEnvDays("CODEX_AUTH_RETENTION_LOG_DAYS", DEFAULT_POLICY.logDays),
+		cacheDays: parseEnvDays("CODEX_AUTH_RETENTION_CACHE_DAYS", DEFAULT_POLICY.cacheDays),
+		flaggedDays: parseEnvDays("CODEX_AUTH_RETENTION_FLAGGED_DAYS", DEFAULT_POLICY.flaggedDays),
+		quotaCacheDays: parseEnvDays(
+			"CODEX_AUTH_RETENTION_QUOTA_CACHE_DAYS",
+			DEFAULT_POLICY.quotaCacheDays,
+		),
+		dlqDays: parseEnvDays("CODEX_AUTH_RETENTION_DLQ_DAYS", DEFAULT_POLICY.dlqDays),
+	};
+}
+
+async function pruneDirectoryByAge(path: string, maxAgeMs: number): Promise<number> {
+	let removed = 0;
+	let entries: Dirent<string>[] = [];
+	try {
+		entries = await withRetentionIoRetry(() =>
+			fs.readdir(path, { withFileTypes: true, encoding: "utf8" }),
+		);
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException).code;
+		if (code === "ENOENT") return 0;
+		throw error;
+	}
+
+	const now = Date.now();
+	for (const entry of entries) {
+		const fullPath = join(path, entry.name);
+		try {
+			if (entry.isDirectory()) {
+				removed += await withRetentionIoRetry(() => pruneDirectoryByAge(fullPath, maxAgeMs));
+				const childEntries = await withRetentionIoRetry(() => fs.readdir(fullPath));
+				if (childEntries.length === 0) {
+					await withRetentionIoRetry(() => fs.rmdir(fullPath));
+				}
+				continue;
+			}
+			if (!entry.isFile()) continue;
+			const stats = await withRetentionIoRetry(() => fs.stat(fullPath));
+			if (now - stats.mtimeMs <= maxAgeMs) continue;
+			await withRetentionIoRetry(() => fs.unlink(fullPath));
+			removed += 1;
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (code === "ENOENT") {
+				continue;
+			}
+			throw error;
+		}
+	}
+	return removed;
+}
+
+async function pruneSingleFile(path: string, maxAgeMs: number): Promise<boolean> {
+	try {
+		const stats = await withRetentionIoRetry(() => fs.stat(path));
+		if (Date.now() - stats.mtimeMs <= maxAgeMs) {
+			return false;
+		}
+		await withRetentionIoRetry(() => fs.unlink(path));
+		return true;
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException).code;
+		if (code === "ENOENT") return false;
+		throw error;
+	}
+}
+
+export async function enforceDataRetention(
+	policy: RetentionPolicy = getRetentionPolicyFromEnv(),
+): Promise<{ removedLogs: number; removedCacheFiles: number; removedStateFiles: number }> {
+	const removedLogs = await pruneDirectoryByAge(getCodexLogDir(), policy.logDays * 24 * 60 * 60_000);
+	const removedCacheFiles = await pruneDirectoryByAge(
+		getCodexCacheDir(),
+		policy.cacheDays * 24 * 60 * 60_000,
+	);
+	const root = getCodexMultiAuthDir();
+	const removedFlagged = await pruneSingleFile(
+		join(root, "openai-codex-flagged-accounts.json"),
+		policy.flaggedDays * 24 * 60 * 60_000,
+	);
+	const removedQuota = await pruneSingleFile(
+		join(root, "quota-cache.json"),
+		policy.quotaCacheDays * 24 * 60 * 60_000,
+	);
+	const removedDlq = await pruneSingleFile(
+		join(root, "background-job-dlq.jsonl"),
+		policy.dlqDays * 24 * 60 * 60_000,
+	);
+
+	return {
+		removedLogs,
+		removedCacheFiles,
+		removedStateFiles: (removedFlagged ? 1 : 0) + (removedQuota ? 1 : 0) + (removedDlq ? 1 : 0),
+	};
+}
diff --git a/lib/file-lock.ts b/lib/file-lock.ts
new file mode 100644
index 0000000..f41c76f
--- /dev/null
+++ b/lib/file-lock.ts
@@ -0,0 +1,287 @@
+import {
+	openSync,
+	writeFileSync,
+	closeSync,
+	readFileSync,
+	unlinkSync,
+	statSync,
+	promises as fs,
+} from "node:fs";
+
+export interface FileLockOptions {
+	maxAttempts?: number;
+	baseDelayMs?: number;
+	maxDelayMs?: number;
+	staleAfterMs?: number;
+}
+
+export interface FileLockHandle {
+	path: string;
+	release: () => Promise<void>;
+}
+
+export interface FileLockSyncHandle {
+	path: string;
+	release: () => void;
+}
+
+const DEFAULT_MAX_ATTEMPTS = 60;
+const DEFAULT_BASE_DELAY_MS = 25;
+const DEFAULT_MAX_DELAY_MS = 1_000;
+const DEFAULT_STALE_AFTER_MS = 5 * 60_000;
+const RETRYABLE_CODES = new Set(["EEXIST", "EBUSY", "EPERM"]);
+const LOCK_FILE_ENCODING: BufferEncoding = "utf8";
+
+interface LockFileMetadata {
+	pid: number;
+	acquiredAt: number;
+	token: string;
+}
+
+function sleep(ms: number): Promise<void> {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+function getRetryDelayMs(
+	attempt: number,
+	baseDelayMs: number,
+	maxDelayMs: number,
+): number {
+	const backoff = Math.min(maxDelayMs, baseDelayMs * 2 ** Math.min(attempt, 8));
+	const jitter = Math.floor(backoff * 0.15 * Math.random());
+	return Math.max(baseDelayMs, backoff - jitter);
+}
+
+function createLockToken(): string {
+	return `${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2, 10)}`;
+}
+
+function serializeLockMetadata(token: string): string {
+	const metadata: LockFileMetadata = {
+		pid: process.pid,
+		acquiredAt: Date.now(),
+		token,
+	};
+	return `${JSON.stringify(metadata)}\n`;
+}
+
+function parseLockToken(content: string): string | null {
+	const trimmed = content.trim();
+	if (!trimmed) {
+		return null;
+	}
+	try {
+		const parsed = JSON.parse(trimmed) as Record<string, unknown>;
+		return typeof parsed.token === "string" && parsed.token.length > 0 ? parsed.token : null;
+	} catch {
+		return null;
+	}
+}
+
+async function isOwnedLockFile(path: string, expectedToken: string): Promise<boolean> {
+	let content: string;
+	try {
+		content = await fs.readFile(path, LOCK_FILE_ENCODING);
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException).code;
+		if (code === "ENOENT") {
+			return false;
+		}
+		throw error;
+	}
+	const token = parseLockToken(content);
+	return token === expectedToken;
+}
+
+function isOwnedLockFileSync(path: string, expectedToken: string): boolean {
+	let content: string;
+	try {
+		content = readFileSync(path, LOCK_FILE_ENCODING);
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException).code;
+		if (code === "ENOENT") {
+			return false;
+		}
+		throw error;
+	}
+	const token = parseLockToken(content);
+	return token === expectedToken;
+}
+
+async function removeIfStale(path: string, staleAfterMs: number): Promise<boolean> {
+	try {
+		const stats = await fs.stat(path);
+		if (Date.now() - stats.mtimeMs <= staleAfterMs) {
+			return false;
+		}
+		await fs.unlink(path);
+		return true;
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException).code;
+		if (code === "ENOENT") {
+			return true;
+		}
+		return false;
+	}
+}
+
+export async function acquireFileLock(
+	path: string,
+	options: FileLockOptions = {},
+): Promise<FileLockHandle> {
+	const maxAttempts = Math.max(1, Math.floor(options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS));
+	const baseDelayMs = Math.max(5, Math.floor(options.baseDelayMs ?? DEFAULT_BASE_DELAY_MS));
+	const maxDelayMs = Math.max(baseDelayMs, Math.floor(options.maxDelayMs ?? DEFAULT_MAX_DELAY_MS));
+	const staleAfterMs = Math.max(1_000, Math.floor(options.staleAfterMs ?? DEFAULT_STALE_AFTER_MS));
+
+	for (let attempt = 0; attempt < maxAttempts; attempt += 1) {
+		try {
+			const handle = await fs.open(path, "wx", 0o600);
+			const token = createLockToken();
+			let writeError: unknown;
+			let closeError: unknown;
+			try {
+				await handle.writeFile(serializeLockMetadata(token), LOCK_FILE_ENCODING);
+			} catch (error) {
+				writeError = error;
+			}
+			try {
+				await handle.close();
+			} catch (error) {
+				closeError = error;
+			}
+			if (writeError !== undefined) {
+				throw writeError;
+			}
+			if (closeError !== undefined) {
+				throw closeError;
+			}
+			let released = false;
+			return {
+				path,
+				release: async () => {
+					if (released) return;
+					released = true;
+					try {
+						const owned = await isOwnedLockFile(path, token);
+						if (!owned) {
+							return;
+						}
+						await fs.unlink(path);
+					} catch (error) {
+						const code = (error as NodeJS.ErrnoException).code;
+						if (code !== "ENOENT") {
+							throw error;
+						}
+					}
+				},
+			};
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code ?? "UNKNOWN";
+			if (!RETRYABLE_CODES.has(code)) {
+				throw error;
+			}
+			const removed = await removeIfStale(path, staleAfterMs);
+			if (removed) {
+				continue;
+			}
+			if (attempt >= maxAttempts - 1) {
+				throw error;
+			}
+			await sleep(getRetryDelayMs(attempt, baseDelayMs, maxDelayMs));
+		}
+	}
+
+	throw new Error(`Failed to acquire lock: ${path}`);
+}
+
+function removeIfStaleSync(path: string, staleAfterMs: number): boolean {
+	try {
+		const stats = statSync(path);
+		if (Date.now() - stats.mtimeMs <= staleAfterMs) {
+			return false;
+		}
+		unlinkSync(path);
+		return true;
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException).code;
+		if (code === "ENOENT") {
+			return true;
+		}
+		return false;
+	}
+}
+
+export function acquireFileLockSync(
+	path: string,
+	options: FileLockOptions = {},
+): FileLockSyncHandle {
+	const maxAttempts = Math.max(1, Math.floor(options.maxAttempts ?? DEFAULT_MAX_ATTEMPTS));
+	const baseDelayMs = Math.max(5, Math.floor(options.baseDelayMs ?? DEFAULT_BASE_DELAY_MS));
+	const maxDelayMs = Math.max(baseDelayMs, Math.floor(options.maxDelayMs ?? DEFAULT_MAX_DELAY_MS));
+	const staleAfterMs = Math.max(1_000, Math.floor(options.staleAfterMs ?? DEFAULT_STALE_AFTER_MS));
+
+	for (let attempt = 0; attempt < maxAttempts; attempt += 1) {
+		try {
+			const fd = openSync(path, "wx", 0o600);
+			const token = createLockToken();
+			let writeError: unknown;
+			let closeError: unknown;
+			try {
+				writeFileSync(fd, serializeLockMetadata(token), LOCK_FILE_ENCODING);
+			} catch (error) {
+				writeError = error;
+			}
+			try {
+				closeSync(fd);
+			} catch (error) {
+				closeError = error;
+			}
+			if (writeError !== undefined) {
+				throw writeError;
+			}
+			if (closeError !== undefined) {
+				throw closeError;
+			}
+			let released = false;
+			return {
+				path,
+				release: () => {
+					if (released) return;
+					released = true;
+					try {
+						const owned = isOwnedLockFileSync(path, token);
+						if (!owned) {
+							return;
+						}
+						unlinkSync(path);
+					} catch (error) {
+						const code = (error as NodeJS.ErrnoException).code;
+						if (code !== "ENOENT") {
+							throw error;
+						}
+					}
+				},
+			};
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code ?? "UNKNOWN";
+			if (!RETRYABLE_CODES.has(code)) {
+				throw error;
+			}
+			const removed = removeIfStaleSync(path, staleAfterMs);
+			if (removed) {
+				continue;
+			}
+			if (attempt >= maxAttempts - 1) {
+				throw error;
+			}
+			Atomics.wait(
+				new Int32Array(new SharedArrayBuffer(4)),
+				0,
+				0,
+				getRetryDelayMs(attempt, baseDelayMs, maxDelayMs),
+			);
+		}
+	}
+	throw new Error(`Failed to acquire lock: ${path}`);
+}
diff --git a/lib/idempotency.ts b/lib/idempotency.ts
new file mode 100644
index 0000000..d951c60
--- /dev/null
+++ b/lib/idempotency.ts
@@ -0,0 +1,249 @@
+import { promises as fs } from "node:fs";
+import { dirname, join } from "node:path";
+import { getCodexMultiAuthDir } from "./runtime-paths.js";
+import { acquireFileLock } from "./file-lock.js";
+
+const IDEMPOTENCY_PATH = join(getCodexMultiAuthDir(), "idempotency-keys.json");
+const IDEMPOTENCY_LOCK_PATH = `${IDEMPOTENCY_PATH}.lock`;
+const IDEMPOTENCY_TTL_MS = 24 * 60 * 60_000;
+const RETRYABLE_FS_CODES = new Set(["EBUSY", "EPERM", "EAGAIN", "ETIMEDOUT", "EACCES"]);
+const MAX_FS_IO_ATTEMPTS = 5;
+const BASE_RETRY_DELAY_MS = 10;
+
+type IdempotencyStatus = "pending" | "succeeded";
+
+interface IdempotencyEntry {
+	scope: string;
+	key: string;
+	createdAtMs: number;
+	status: IdempotencyStatus;
+}
+
+interface IdempotencyFile {
+	version: 1;
+	entries: IdempotencyEntry[];
+}
+
+const EMPTY_FILE: IdempotencyFile = {
+	version: 1,
+	entries: [],
+};
+
+function getRetryDelayMs(attempt: number): number {
+	return BASE_RETRY_DELAY_MS * 2 ** Math.max(0, attempt - 1);
+}
+
+function isRetryableFsError(error: unknown): boolean {
+	const code = (error as NodeJS.ErrnoException | undefined)?.code;
+	return typeof code === "string" && RETRYABLE_FS_CODES.has(code);
+}
+
+async function sleep(ms: number): Promise<void> {
+	await new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+async function withRetryableFsIo<T>(operation: () => Promise<T>): Promise<T> {
+	let lastError: unknown;
+	for (let attempt = 1; attempt <= MAX_FS_IO_ATTEMPTS; attempt += 1) {
+		try {
+			return await operation();
+		} catch (error) {
+			lastError = error;
+			if (!isRetryableFsError(error) || attempt >= MAX_FS_IO_ATTEMPTS) {
+				throw error;
+			}
+			await sleep(getRetryDelayMs(attempt));
+		}
+	}
+	throw lastError instanceof Error ? lastError : new Error("Idempotency filesystem retry exhausted");
+}
+
+function normalizeFile(value: unknown): IdempotencyFile {
+	if (!value || typeof value !== "object") return EMPTY_FILE;
+	const record = value as Record<string, unknown>;
+	if (record.version !== 1 || !Array.isArray(record.entries)) return EMPTY_FILE;
+	const entries = record.entries
+		.filter((entry): entry is Record<string, unknown> => !!entry && typeof entry === "object")
+		.map((entry) => {
+			const scope = typeof entry.scope === "string" ? entry.scope.trim() : "";
+			const key = typeof entry.key === "string" ? entry.key.trim() : "";
+			const createdAtMs =
+				typeof entry.createdAtMs === "number" && Number.isFinite(entry.createdAtMs)
+					? entry.createdAtMs
+					: 0;
+			const status: IdempotencyStatus =
+				entry.status === "pending" || entry.status === "succeeded"
+					? entry.status
+					: "succeeded";
+			return { scope, key, createdAtMs, status };
+		})
+		.filter((entry) => entry.scope.length > 0 && entry.key.length > 0 && entry.createdAtMs > 0);
+	return {
+		version: 1,
+		entries,
+	};
+}
+
+async function loadFile(): Promise<IdempotencyFile> {
+	try {
+		const raw = await withRetryableFsIo(() => fs.readFile(IDEMPOTENCY_PATH, "utf8"));
+		return normalizeFile(JSON.parse(raw) as unknown);
+	} catch (error) {
+		const code = (error as NodeJS.ErrnoException | undefined)?.code;
+		if (code === "ENOENT") return { ...EMPTY_FILE };
+		throw error;
+	}
+}
+
+async function saveFile(file: IdempotencyFile): Promise<void> {
+	await withRetryableFsIo(() => fs.mkdir(dirname(IDEMPOTENCY_PATH), { recursive: true }));
+	const tempPath = `${IDEMPOTENCY_PATH}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
+	await withRetryableFsIo(() =>
+		fs.writeFile(tempPath, `${JSON.stringify(file, null, 2)}\n`, {
+			encoding: "utf8",
+			mode: 0o600,
+		}),
+	);
+	try {
+		await withRetryableFsIo(() => fs.rename(tempPath, IDEMPOTENCY_PATH));
+	} finally {
+		try {
+			await withRetryableFsIo(() => fs.unlink(tempPath));
+		} catch {
+			// Best-effort temp cleanup.
+		}
+	}
+}
+
+function pruneExpired(entries: IdempotencyEntry[], nowMs: number, ttlMs: number): IdempotencyEntry[] {
+	const cutoff = nowMs - ttlMs;
+	return entries.filter((entry) => entry.createdAtMs >= cutoff);
+}
+
+export function getIdempotencyStorePath(): string {
+	return IDEMPOTENCY_PATH;
+}
+
+async function withIdempotencyFileLock<T>(handler: () => Promise<T>): Promise<T> {
+	await withRetryableFsIo(() => fs.mkdir(dirname(IDEMPOTENCY_PATH), { recursive: true }));
+	const lock = await acquireFileLock(IDEMPOTENCY_LOCK_PATH, {
+		maxAttempts: 80,
+		baseDelayMs: 15,
+		maxDelayMs: 800,
+		staleAfterMs: 120_000,
+	});
+	try {
+		return await handler();
+	} finally {
+		await lock.release();
+	}
+}
+
+function isMatchingEntry(entry: IdempotencyEntry, scope: string, key: string): boolean {
+	return entry.scope === scope && entry.key === key;
+}
+
+async function mutateEntries(
+	ttlMs: number,
+	mutator: (entries: IdempotencyEntry[], nowMs: number) => IdempotencyEntry[],
+): Promise<void> {
+	await withIdempotencyFileLock(async () => {
+		const nowMs = Date.now();
+		const file = await loadFile();
+		const entries = pruneExpired(file.entries, nowMs, Math.max(1, ttlMs));
+		const nextEntries = mutator(entries, nowMs);
+		await saveFile({ version: 1, entries: nextEntries });
+	});
+}
+
+export async function checkAndRecordIdempotencyKey(
+	scope: string,
+	key: string,
+	ttlMs = IDEMPOTENCY_TTL_MS,
+): Promise<{ replayed: boolean }> {
+	const normalizedScope = scope.trim();
+	const normalizedKey = key.trim();
+	if (normalizedScope.length === 0) {
+		throw new Error("Idempotency scope is required");
+	}
+	if (normalizedKey.length === 0) {
+		throw new Error("Idempotency key is required");
+	}
+
+	return withIdempotencyFileLock(async () => {
+		const nowMs = Date.now();
+		const file = await loadFile();
+		const entries = pruneExpired(file.entries, nowMs, Math.max(1, ttlMs));
+		const replayed = entries.some(
+			(entry) =>
+				isMatchingEntry(entry, normalizedScope, normalizedKey) &&
+				(entry.status === "pending" || entry.status === "succeeded"),
+		);
+		if (!replayed) {
+			entries.push({
+				scope: normalizedScope,
+				key: normalizedKey,
+				createdAtMs: nowMs,
+				status: "pending",
+			});
+		}
+		await saveFile({ version: 1, entries });
+		return { replayed };
+	});
+}
+
+export async function markIdempotencySucceeded(
+	scope: string,
+	key: string,
+	ttlMs = IDEMPOTENCY_TTL_MS,
+): Promise<void> {
+	const normalizedScope = scope.trim();
+	const normalizedKey = key.trim();
+	if (normalizedScope.length === 0 || normalizedKey.length === 0) {
+		return;
+	}
+	await mutateEntries(ttlMs, (entries, nowMs) => {
+		let updated = false;
+		const next: IdempotencyEntry[] = entries.map((entry): IdempotencyEntry => {
+			if (!isMatchingEntry(entry, normalizedScope, normalizedKey)) {
+				return entry;
+			}
+			updated = true;
+			return {
+				...entry,
+				status: "succeeded",
+				createdAtMs: nowMs,
+			};
+		});
+		if (!updated) {
+			next.push({
+				scope: normalizedScope,
+				key: normalizedKey,
+				createdAtMs: nowMs,
+				status: "succeeded",
+			});
+		}
+		return next;
+	});
+}
+
+export async function clearIdempotencyOnFailure(
+	scope: string,
+	key: string,
+	ttlMs = IDEMPOTENCY_TTL_MS,
+): Promise<void> {
+	const normalizedScope = scope.trim();
+	const normalizedKey = key.trim();
+	if (normalizedScope.length === 0 || normalizedKey.length === 0) {
+		return;
+	}
+	await mutateEntries(ttlMs, (entries) =>
+		entries.filter(
+			(entry) =>
+				!(
+					isMatchingEntry(entry, normalizedScope, normalizedKey) &&
+					entry.status === "pending"
+				),
+		),
+	);
+}
diff --git a/lib/index.ts b/lib/index.ts
index 0e25984..907380b 100644
--- a/lib/index.ts
+++ b/lib/index.ts
@@ -29,3 +29,10 @@ export * from "./codex-cli/state.js";
 export * from "./codex-cli/sync.js";
 export * from "./codex-cli/writer.js";
 export * from "./codex-cli/observability.js";
+export * from "./file-lock.js";
+export * from "./secrets-crypto.js";
+export * from "./data-retention.js";
+export * from "./data-redaction.js";
+export * from "./authorization.js";
+export * from "./background-jobs.js";
+export * from "./idempotency.js";
diff --git a/lib/quota-cache.ts b/lib/quota-cache.ts
index 9870a2b..b994f66 100644
--- a/lib/quota-cache.ts
+++ b/lib/quota-cache.ts
@@ -3,6 +3,7 @@ import { basename, join } from "node:path";
 import { logWarn } from "./logger.js";
 import { getCodexMultiAuthDir } from "./runtime-paths.js";
 import { isRecord, sleep } from "./utils.js";
+import { acquireFileLock } from "./file-lock.js";
 
 export interface QuotaCacheWindow {
 	usedPercent?: number;
@@ -31,6 +32,7 @@ interface QuotaCacheFile {
 }
 
 const QUOTA_CACHE_PATH = join(getCodexMultiAuthDir(), "quota-cache.json");
+const QUOTA_CACHE_LOCK_PATH = `${QUOTA_CACHE_PATH}.lock`;
 const QUOTA_CACHE_LABEL = basename(QUOTA_CACHE_PATH);
 const RETRYABLE_FS_CODES = new Set(["EBUSY", "EPERM"]);
 
@@ -225,31 +227,42 @@ export async function saveQuotaCache(data: QuotaCacheData): Promise<void> {
 
 	try {
 		await fs.mkdir(getCodexMultiAuthDir(), { recursive: true });
-		const tempPath = `${QUOTA_CACHE_PATH}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
-		await fs.writeFile(tempPath, `${JSON.stringify(payload, null, 2)}\n`, {
-			encoding: "utf8",
-			mode: 0o600,
+		// Integration coverage for concurrent writers lives in test/quota-cache.test.ts.
+		const lock = await acquireFileLock(QUOTA_CACHE_LOCK_PATH, {
+			maxAttempts: 80,
+			baseDelayMs: 15,
+			maxDelayMs: 800,
+			staleAfterMs: 120_000,
 		});
-		let renamed = false;
 		try {
-			for (let attempt = 0; attempt < 5; attempt += 1) {
-				try {
-					await fs.rename(tempPath, QUOTA_CACHE_PATH);
-					renamed = true;
-					break;
-				} catch (error) {
-					if (!isRetryableFsError(error) || attempt >= 4) throw error;
-					await sleep(10 * 2 ** attempt);
+			const tempPath = `${QUOTA_CACHE_PATH}.${process.pid}.${Date.now()}.${Math.random().toString(36).slice(2, 8)}.tmp`;
+			await fs.writeFile(tempPath, `${JSON.stringify(payload, null, 2)}\n`, {
+				encoding: "utf8",
+				mode: 0o600,
+			});
+			let renamed = false;
+			try {
+				for (let attempt = 0; attempt < 5; attempt += 1) {
+					try {
+						await fs.rename(tempPath, QUOTA_CACHE_PATH);
+						renamed = true;
+						break;
+					} catch (error) {
+						if (!isRetryableFsError(error) || attempt >= 4) throw error;
+						await sleep(10 * 2 ** attempt);
+					}
 				}
-			}
-		} finally {
-			if (!renamed) {
-				try {
-					await fs.unlink(tempPath);
-				} catch {
-					// Best effort temp cleanup.
+			} finally {
+				if (!renamed) {
+					try {
+						await fs.unlink(tempPath);
+					} catch {
+						// Best effort temp cleanup.
+					}
 				}
 			}
+		} finally {
+			await lock.release();
 		}
 	} catch (error) {
 		logWarn(
diff --git a/lib/secrets-crypto.ts b/lib/secrets-crypto.ts
new file mode 100644
index 0000000..8a1a5cd
--- /dev/null
+++ b/lib/secrets-crypto.ts
@@ -0,0 +1,192 @@
+import {
+	createCipheriv,
+	createDecipheriv,
+	createHash,
+	randomBytes,
+	scryptSync,
+} from "node:crypto";
+
+const ENCRYPTED_PREFIX = "enc:";
+const LEGACY_ENCRYPTED_VERSION = "v1";
+const ENCRYPTED_VERSION = "v2";
+const AES_KEY_LENGTH = 32;
+const AES_GCM_IV_LENGTH = 12;
+const AES_GCM_TAG_LENGTH = 16;
+const SCRYPT_SALT_LENGTH = 16;
+const MIN_KEY_MATERIAL_BYTES = 32;
+
+export interface SecretEncryptionKeys {
+	primary: string | null;
+	previous: string | null;
+}
+
+function deriveLegacyAesKey(input: string): Buffer {
+	return createHash("sha256").update(input, "utf8").digest();
+}
+
+function deriveAesKey(input: string, salt: Buffer): Buffer {
+	return scryptSync(input, salt, AES_KEY_LENGTH);
+}
+
+type SecretEnvelope = {
+	version: "v1";
+	iv: Buffer;
+	tag: Buffer;
+	ciphertext: Buffer;
+	salt: null;
+} | {
+	version: "v2";
+	iv: Buffer;
+	tag: Buffer;
+	ciphertext: Buffer;
+	salt: Buffer;
+};
+
+function decodeBase64Part(value: string): Buffer | null {
+	try {
+		const decoded = Buffer.from(value, "base64");
+		return decoded.length > 0 ? decoded : null;
+	} catch {
+		return null;
+	}
+}
+
+function parseEnvelope(value: string): SecretEnvelope | null {
+	if (!value.startsWith(ENCRYPTED_PREFIX)) return null;
+	const payload = value.slice(ENCRYPTED_PREFIX.length);
+	const versionSeparator = payload.indexOf(":");
+	if (versionSeparator <= 0 || versionSeparator === payload.length - 1) return null;
+	const versionPart = payload.slice(0, versionSeparator);
+	const remainder = payload.slice(versionSeparator + 1);
+
+	if (versionPart === LEGACY_ENCRYPTED_VERSION) {
+		const [ivPart, tagPart, cipherPart] = remainder.split(":", 3);
+		if (!ivPart || !tagPart || !cipherPart) return null;
+		const iv = decodeBase64Part(ivPart);
+		const tag = decodeBase64Part(tagPart);
+		const ciphertext = decodeBase64Part(cipherPart);
+		if (!iv || !tag || !ciphertext) return null;
+		if (iv.length !== AES_GCM_IV_LENGTH) return null;
+		if (tag.length !== AES_GCM_TAG_LENGTH) return null;
+		return {
+			version: "v1",
+			iv,
+			tag,
+			ciphertext,
+			salt: null,
+		};
+	}
+
+	if (versionPart === ENCRYPTED_VERSION) {
+		const [saltPart, ivPart, tagPart, cipherPart] = remainder.split(":", 4);
+		if (!saltPart || !ivPart || !tagPart || !cipherPart) return null;
+		const salt = decodeBase64Part(saltPart);
+		const iv = decodeBase64Part(ivPart);
+		const tag = decodeBase64Part(tagPart);
+		const ciphertext = decodeBase64Part(cipherPart);
+		if (!salt || !iv || !tag || !ciphertext) return null;
+		if (salt.length !== SCRYPT_SALT_LENGTH) return null;
+		if (iv.length !== AES_GCM_IV_LENGTH) return null;
+		if (tag.length !== AES_GCM_TAG_LENGTH) return null;
+		return {
+			version: "v2",
+			salt,
+			iv,
+			tag,
+			ciphertext,
+		};
+	}
+
+	return null;
+}
+
+export function isEncryptedSecret(value: string): boolean {
+	return value.startsWith(`${ENCRYPTED_PREFIX}${LEGACY_ENCRYPTED_VERSION}:`)
+		|| value.startsWith(`${ENCRYPTED_PREFIX}${ENCRYPTED_VERSION}:`);
+}
+
+export function encryptSecret(value: string, keyMaterial: string): string {
+	if (!value) return value;
+	if (parseEnvelope(value)) return value;
+
+	const salt = randomBytes(SCRYPT_SALT_LENGTH);
+	const key = deriveAesKey(keyMaterial, salt);
+	const iv = randomBytes(AES_GCM_IV_LENGTH);
+	const cipher = createCipheriv("aes-256-gcm", key, iv);
+	const encrypted = Buffer.concat([
+		cipher.update(Buffer.from(value, "utf8")),
+		cipher.final(),
+	]);
+	const tag = cipher.getAuthTag();
+	return `${ENCRYPTED_PREFIX}${ENCRYPTED_VERSION}:${salt.toString("base64")}:${iv.toString("base64")}:${tag.toString("base64")}:${encrypted.toString("base64")}`;
+}
+
+export function decryptSecret(
+	value: string,
+	keys: SecretEncryptionKeys,
+): { value: string; usedPreviousKey: boolean } {
+	const envelope = parseEnvelope(value);
+	if (!envelope) {
+		return { value, usedPreviousKey: false };
+	}
+
+	const tryDecrypt = (keyMaterial: string | null): string | null => {
+		if (!keyMaterial) return null;
+		try {
+			const key = envelope.version === "v1"
+				? deriveLegacyAesKey(keyMaterial)
+				: deriveAesKey(keyMaterial, envelope.salt);
+			const decipher = createDecipheriv("aes-256-gcm", key, envelope.iv);
+			decipher.setAuthTag(envelope.tag);
+			const decrypted = Buffer.concat([
+				decipher.update(envelope.ciphertext),
+				decipher.final(),
+			]);
+			return decrypted.toString("utf8");
+		} catch {
+			return null;
+		}
+	};
+
+	const withPrimary = tryDecrypt(keys.primary);
+	if (withPrimary !== null) {
+		return { value: withPrimary, usedPreviousKey: false };
+	}
+
+	const withPrevious = tryDecrypt(keys.previous);
+	if (withPrevious !== null) {
+		return { value: withPrevious, usedPreviousKey: true };
+	}
+
+	throw new Error("Unable to decrypt secret with configured keys");
+}
+
+function getTrimmedEnv(name: string): string | null {
+	const raw = (process.env[name] ?? "").trim();
+	return raw.length > 0 ? raw : null;
+}
+
+function validateEnvKeyMaterial(value: string | null, envName: string): string | null {
+	if (!value) return null;
+	if (Buffer.byteLength(value, "utf8") < MIN_KEY_MATERIAL_BYTES) {
+		throw new Error(
+			`${envName} must contain at least ${MIN_KEY_MATERIAL_BYTES} bytes of key material`,
+		);
+	}
+	return value;
+}
+
+export function getSecretEncryptionKeysFromEnv(): SecretEncryptionKeys {
+	const primary = validateEnvKeyMaterial(
+		getTrimmedEnv("CODEX_AUTH_ENCRYPTION_KEY"),
+		"CODEX_AUTH_ENCRYPTION_KEY",
+	);
+	const previous = validateEnvKeyMaterial(
+		getTrimmedEnv("CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY"),
+		"CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY",
+	);
+	return {
+		primary,
+		previous,
+	};
+}
diff --git a/lib/storage.ts b/lib/storage.ts
index 3453a42..2bc3d09 100644
--- a/lib/storage.ts
+++ b/lib/storage.ts
@@ -3,8 +3,16 @@ import { basename, dirname, join } from "node:path";
 import { createHash } from "node:crypto";
 import { ACCOUNT_LIMITS } from "./constants.js";
 import { createLogger } from "./logger.js";
+import { acquireFileLock } from "./file-lock.js";
 import { MODEL_FAMILIES, type ModelFamily } from "./prompts/codex.js";
 import { AnyAccountStorageSchema, getValidationErrors } from "./schemas.js";
+import {
+	decryptSecret,
+	encryptSecret,
+	getSecretEncryptionKeysFromEnv,
+	isEncryptedSecret,
+	type SecretEncryptionKeys,
+} from "./secrets-crypto.js";
 import {
 	getConfigDir,
 	getProjectConfigDir,
@@ -34,9 +42,17 @@ const ACCOUNTS_WAL_SUFFIX = ".wal";
 const ACCOUNTS_BACKUP_HISTORY_DEPTH = 3;
 const BACKUP_COPY_MAX_ATTEMPTS = 5;
 const BACKUP_COPY_BASE_DELAY_MS = 10;
+const ACCOUNT_STORAGE_LOCK_OPTIONS = {
+	maxAttempts: 80,
+	baseDelayMs: 15,
+	maxDelayMs: 800,
+	staleAfterMs: 120_000,
+} as const;
+const STORAGE_DECRYPT_ERROR_CODE = "EDECRYPT";
 
 let storageBackupEnabled = true;
 let lastAccountsSaveTimestamp = 0;
+const missingEncryptionKeyWarnings = new Set<string>();
 
 export interface FlaggedAccountMetadataV1 extends AccountMetadataV3 {
 	flaggedAt: number;
@@ -114,6 +130,79 @@ type AccountLike = {
   lastUsed?: number;
 };
 
+function getConfiguredSecretKeys(): SecretEncryptionKeys {
+	return getSecretEncryptionKeysFromEnv();
+}
+
+function warnMissingEncryptionKeyOnce(fieldName: string): void {
+	const message = `Encrypted ${fieldName} detected but CODEX_AUTH_ENCRYPTION_KEY is not configured`;
+	if (missingEncryptionKeyWarnings.has(message)) return;
+	missingEncryptionKeyWarnings.add(message);
+	log.warn(message);
+}
+
+function decryptStorageSecret(value: string, fieldName: string): { value: string; usedPreviousKey: boolean } {
+	if (!isEncryptedSecret(value)) {
+		return { value, usedPreviousKey: false };
+	}
+
+	const keys = getConfiguredSecretKeys();
+	if (!keys.primary && !keys.previous) {
+		warnMissingEncryptionKeyOnce(fieldName);
+		throw new Error(`Encrypted ${fieldName} cannot be read without CODEX_AUTH_ENCRYPTION_KEY`);
+	}
+	return decryptSecret(value, keys);
+}
+
+function encryptStorageSecret(value: string): string {
+	if (!value) return value;
+	const keys = getConfiguredSecretKeys();
+	if (!keys.primary) return value;
+	return encryptSecret(value, keys.primary);
+}
+
+function decryptAccountSensitiveFields(account: AccountMetadataV3): AccountMetadataV3 {
+	const refreshResult = decryptStorageSecret(account.refreshToken, "refresh token");
+	const accessResult =
+		typeof account.accessToken === "string" && account.accessToken.length > 0
+			? decryptStorageSecret(account.accessToken, "access token")
+			: null;
+
+	return {
+		...account,
+		refreshToken: refreshResult.value,
+		...(accessResult ? { accessToken: accessResult.value } : {}),
+	};
+}
+
+function toStorageDecryptError(cause: unknown): NodeJS.ErrnoException {
+	const message = "Failed to decrypt account storage";
+	const error = new Error(
+		message,
+		cause instanceof Error ? { cause } : undefined,
+	) as NodeJS.ErrnoException;
+	error.code = STORAGE_DECRYPT_ERROR_CODE;
+	return error;
+}
+
+function encryptAccountSensitiveFields(account: AccountMetadataV3): AccountMetadataV3 {
+	return {
+		...account,
+		refreshToken: encryptStorageSecret(account.refreshToken),
+		...(typeof account.accessToken === "string" && account.accessToken.length > 0
+			? { accessToken: encryptStorageSecret(account.accessToken) }
+			: {}),
+	};
+}
+
+function cloneStorageForPersist(storage: AccountStorageV3): AccountStorageV3 {
+	return {
+		...storage,
+		accounts: storage.accounts.map((account) => encryptAccountSensitiveFields({ ...account })),
+		activeIndexByFamily: storage.activeIndexByFamily ? { ...storage.activeIndexByFamily } : {},
+	};
+}
+
 function looksLikeSyntheticFixtureAccount(account: AccountMetadataV3): boolean {
 	const email = typeof account.email === "string" ? account.email.trim().toLowerCase() : "";
 	const refreshToken =
@@ -236,6 +325,20 @@ function getAccountsWalPath(path: string): string {
 	return `${path}${ACCOUNTS_WAL_SUFFIX}`;
 }
 
+function getAccountsLockPath(path: string): string {
+	return `${path}.lock`;
+}
+
+async function withAccountFileLock<T>(path: string, fn: () => Promise<T>): Promise<T> {
+	await fs.mkdir(dirname(path), { recursive: true });
+	const lock = await acquireFileLock(getAccountsLockPath(path), ACCOUNT_STORAGE_LOCK_OPTIONS);
+	try {
+		return await fn();
+	} finally {
+		await lock.release();
+	}
+}
+
 async function copyFileWithRetry(
 	sourcePath: string,
 	destinationPath: string,
@@ -723,6 +826,14 @@ function clampIndex(index: number, length: number): number {
   return Math.max(0, Math.min(index, length - 1));
 }
 
+function isStoredAccountCandidate(account: unknown): account is AccountMetadataV3 {
+	return (
+		isRecord(account) &&
+		typeof account.refreshToken === "string" &&
+		account.refreshToken.trim().length > 0
+	);
+}
+
 function toAccountKey(account: Pick<AccountMetadataV3, "accountId" | "refreshToken">): string {
   return account.accountId || account.refreshToken;
 }
@@ -782,10 +893,17 @@ export function normalizeAccountStorage(data: unknown): AccountStorageV3 | null
       ? migrateV1ToV3(data as unknown as AccountStorageV1)
       : (data as unknown as AccountStorageV3);
 
-  const validAccounts = rawAccounts.filter(
-    (account): account is AccountMetadataV3 =>
-      isRecord(account) && typeof account.refreshToken === "string" && !!account.refreshToken.trim(),
-  );
+	const validAccounts: AccountMetadataV3[] = [];
+	for (const account of rawAccounts) {
+		if (!isStoredAccountCandidate(account)) {
+			continue;
+		}
+		try {
+			validAccounts.push(decryptAccountSensitiveFields(account));
+		} catch (error) {
+			throw toStorageDecryptError(error);
+		}
+	}
 
   const deduplicatedAccounts = deduplicateAccountsByEmail(
     deduplicateAccountsByKey(validAccounts),
@@ -965,6 +1083,9 @@ async function loadAccountsInternal(
     return normalized;
   } catch (error) {
     const code = (error as NodeJS.ErrnoException).code;
+    if (code === STORAGE_DECRYPT_ERROR_CODE) {
+      throw error;
+    }
     if (code === "ENOENT" && migratedLegacyStorage) {
       return migratedLegacyStorage;
     }
@@ -1069,7 +1190,8 @@ async function saveAccountsUnlocked(storage: AccountStorageV3): Promise<void> {
 		}
 	}
 
-    const content = JSON.stringify(storage, null, 2);
+	const persistedStorage = cloneStorageForPersist(storage);
+    const content = JSON.stringify(persistedStorage, null, 2);
 	const journalEntry: AccountsJournalEntry = {
 		version: 1,
 		createdAt: Date.now(),
@@ -1141,15 +1263,18 @@ async function saveAccountsUnlocked(storage: AccountStorageV3): Promise<void> {
 }
 
 export async function withAccountStorageTransaction<T>(
-  handler: (
+	handler: (
     current: AccountStorageV3 | null,
     persist: (storage: AccountStorageV3) => Promise<void>,
   ) => Promise<T>,
 ): Promise<T> {
-  return withStorageLock(async () => {
-    const current = await loadAccountsInternal(saveAccountsUnlocked);
-    return handler(current, saveAccountsUnlocked);
-  });
+	const path = getStoragePath();
+	return withStorageLock(async () =>
+		withAccountFileLock(path, async () => {
+			const current = await loadAccountsInternal(saveAccountsUnlocked);
+			return handler(current, saveAccountsUnlocked);
+		}),
+	);
 }
 
 /**
@@ -1160,9 +1285,12 @@ export async function withAccountStorageTransaction<T>(
  * @throws StorageError with platform-aware hints on failure
  */
 export async function saveAccounts(storage: AccountStorageV3): Promise<void> {
-  return withStorageLock(async () => {
-    await saveAccountsUnlocked(storage);
-  });
+	const path = getStoragePath();
+	return withStorageLock(async () =>
+		withAccountFileLock(path, async () => {
+			await saveAccountsUnlocked(storage);
+		}),
+	);
 }
 
 /**
@@ -1170,30 +1298,32 @@ export async function saveAccounts(storage: AccountStorageV3): Promise<void> {
  * Silently ignores if file doesn't exist.
  */
 export async function clearAccounts(): Promise<void> {
-  return withStorageLock(async () => {
-    const path = getStoragePath();
-    const walPath = getAccountsWalPath(path);
-	const backupPaths = getAccountsBackupRecoveryCandidates(path);
-    const clearPath = async (targetPath: string): Promise<void> => {
-      try {
-        await fs.unlink(targetPath);
-      } catch (error) {
-        const code = (error as NodeJS.ErrnoException).code;
-        if (code !== "ENOENT") {
-          log.error("Failed to clear account storage artifact", {
-            path: targetPath,
-            error: String(error),
-          });
-        }
-      }
-    };
+	const path = getStoragePath();
+	return withStorageLock(async () =>
+		withAccountFileLock(path, async () => {
+			const walPath = getAccountsWalPath(path);
+			const backupPaths = getAccountsBackupRecoveryCandidates(path);
+			const clearPath = async (targetPath: string): Promise<void> => {
+				try {
+					await fs.unlink(targetPath);
+				} catch (error) {
+					const code = (error as NodeJS.ErrnoException).code;
+					if (code !== "ENOENT") {
+						log.error("Failed to clear account storage artifact", {
+							path: targetPath,
+							error: String(error),
+						});
+					}
+				}
+			};
 
-    try {
-      await Promise.all([clearPath(path), clearPath(walPath), ...backupPaths.map(clearPath)]);
-    } catch {
-      // Individual path cleanup is already best-effort with per-artifact logging.
-    }
-  });
+			try {
+				await Promise.all([clearPath(path), clearPath(walPath), ...backupPaths.map(clearPath)]);
+			} catch {
+				// Individual path cleanup is already best-effort with per-artifact logging.
+			}
+		}),
+	);
 }
 
 function normalizeFlaggedStorage(data: unknown): FlaggedAccountStorageV1 {
@@ -1204,9 +1334,17 @@ function normalizeFlaggedStorage(data: unknown): FlaggedAccountStorageV1 {
 	const byRefreshToken = new Map<string, FlaggedAccountMetadataV1>();
 	for (const rawAccount of data.accounts) {
 		if (!isRecord(rawAccount)) continue;
-		const refreshToken =
+		const refreshTokenRaw =
 			typeof rawAccount.refreshToken === "string" ? rawAccount.refreshToken.trim() : "";
-		if (!refreshToken) continue;
+		if (!refreshTokenRaw) continue;
+		let refreshToken: string;
+		try {
+			refreshToken = decryptStorageSecret(refreshTokenRaw, "flagged refresh token").value;
+		} catch (error) {
+			throw new Error("Failed to decrypt flagged refresh token", {
+				cause: error instanceof Error ? error : undefined,
+			});
+		}
 
 		const flaggedAt = typeof rawAccount.flaggedAt === "number" ? rawAccount.flaggedAt : Date.now();
 		const isAccountIdSource = (
@@ -1272,6 +1410,19 @@ function normalizeFlaggedStorage(data: unknown): FlaggedAccountStorageV1 {
 	};
 }
 
+function cloneFlaggedStorageForPersist(storage: FlaggedAccountStorageV1): FlaggedAccountStorageV1 {
+	return {
+		version: 1,
+		accounts: storage.accounts.map((account) => ({
+			...account,
+			refreshToken: encryptStorageSecret(account.refreshToken),
+			...(typeof account.accessToken === "string" && account.accessToken.length > 0
+				? { accessToken: encryptStorageSecret(account.accessToken) }
+				: {}),
+		})),
+	};
+}
+
 export async function loadFlaggedAccounts(): Promise<FlaggedAccountStorageV1> {
 	const path = getFlaggedAccountsPath();
 	const empty: FlaggedAccountStorageV1 = { version: 1, accounts: [] };
@@ -1284,7 +1435,7 @@ export async function loadFlaggedAccounts(): Promise<FlaggedAccountStorageV1> {
 		const code = (error as NodeJS.ErrnoException).code;
 		if (code !== "ENOENT") {
 			log.error("Failed to load flagged account storage", { path, error: String(error) });
-			return empty;
+			throw error;
 		}
 	}
 
@@ -1329,7 +1480,8 @@ export async function saveFlaggedAccounts(storage: FlaggedAccountStorageV1): Pro
 
 		try {
 			await fs.mkdir(dirname(path), { recursive: true });
-			const content = JSON.stringify(normalizeFlaggedStorage(storage), null, 2);
+			const normalized = normalizeFlaggedStorage(storage);
+			const content = JSON.stringify(cloneFlaggedStorageForPersist(normalized), null, 2);
 			await fs.writeFile(tempPath, content, { encoding: "utf-8", mode: 0o600 });
 			await fs.rename(tempPath, path);
 		} catch (error) {
@@ -1377,7 +1529,7 @@ export async function exportAccounts(filePath: string, force = true): Promise<vo
   
   await fs.mkdir(dirname(resolvedPath), { recursive: true });
   
-  const content = JSON.stringify(storage, null, 2);
+  const content = JSON.stringify(cloneStorageForPersist(storage), null, 2);
   await fs.writeFile(resolvedPath, content, { encoding: "utf-8", mode: 0o600 });
   log.info("Exported accounts", { path: resolvedPath, count: storage.accounts.length });
 }
@@ -1446,3 +1598,31 @@ export async function importAccounts(filePath: string): Promise<{ imported: numb
 
   return { imported: importedCount, total, skipped: skippedCount };
 }
+
+export async function rotateStoredSecretEncryption(): Promise<{
+	accounts: number;
+	flaggedAccounts: number;
+}> {
+	const keys = getConfiguredSecretKeys();
+	if (!keys.primary) {
+		throw new Error("CODEX_AUTH_ENCRYPTION_KEY is required to rotate stored secrets");
+	}
+
+	let accountCount = 0;
+	const accounts = await loadAccounts();
+	if (accounts) {
+		accountCount = accounts.accounts.length;
+		await saveAccounts(accounts);
+	}
+
+	const flagged = await loadFlaggedAccounts();
+	const flaggedCount = flagged.accounts.length;
+	if (flaggedCount > 0) {
+		await saveFlaggedAccounts(flagged);
+	}
+
+	return {
+		accounts: accountCount,
+		flaggedAccounts: flaggedCount,
+	};
+}
diff --git a/lib/unified-settings.ts b/lib/unified-settings.ts
index ff63d89..2b1ea93 100644
--- a/lib/unified-settings.ts
+++ b/lib/unified-settings.ts
@@ -10,13 +10,21 @@ import {
 import { join } from "node:path";
 import { getCodexMultiAuthDir } from "./runtime-paths.js";
 import { sleep } from "./utils.js";
+import { acquireFileLock, acquireFileLockSync } from "./file-lock.js";
 
 type JsonRecord = Record<string, unknown>;
 
 export const UNIFIED_SETTINGS_VERSION = 1 as const;
 
 const UNIFIED_SETTINGS_PATH = join(getCodexMultiAuthDir(), "settings.json");
+const UNIFIED_SETTINGS_LOCK_PATH = `${UNIFIED_SETTINGS_PATH}.lock`;
 const RETRYABLE_FS_CODES = new Set(["EBUSY", "EPERM"]);
+const SETTINGS_LOCK_OPTIONS = {
+	maxAttempts: 80,
+	baseDelayMs: 15,
+	maxDelayMs: 800,
+	staleAfterMs: 120_000,
+} as const;
 let settingsWriteQueue: Promise<void> = Promise.resolve();
 
 function isRetryableFsError(error: unknown): boolean {
@@ -254,9 +262,14 @@ export function loadUnifiedPluginConfigSync(): JsonRecord | null {
  * @param pluginConfig - Key/value map representing plugin configuration to persist
  */
 export function saveUnifiedPluginConfigSync(pluginConfig: JsonRecord): void {
-	const record = readSettingsRecordSync() ?? {};
-	record.pluginConfig = { ...pluginConfig };
-	writeSettingsRecordSync(record);
+	const lock = acquireFileLockSync(UNIFIED_SETTINGS_LOCK_PATH, SETTINGS_LOCK_OPTIONS);
+	try {
+		const record = readSettingsRecordSync() ?? {};
+		record.pluginConfig = { ...pluginConfig };
+		writeSettingsRecordSync(record);
+	} finally {
+		lock.release();
+	}
 }
 
 /**
@@ -271,9 +284,14 @@ export function saveUnifiedPluginConfigSync(pluginConfig: JsonRecord): void {
  */
 export async function saveUnifiedPluginConfig(pluginConfig: JsonRecord): Promise<void> {
 	await enqueueSettingsWrite(async () => {
-		const record = await readSettingsRecordAsync() ?? {};
-		record.pluginConfig = { ...pluginConfig };
-		await writeSettingsRecordAsync(record);
+		const lock = await acquireFileLock(UNIFIED_SETTINGS_LOCK_PATH, SETTINGS_LOCK_OPTIONS);
+		try {
+			const record = (await readSettingsRecordAsync()) ?? {};
+			record.pluginConfig = { ...pluginConfig };
+			await writeSettingsRecordAsync(record);
+		} finally {
+			await lock.release();
+		}
 	});
 }
 
@@ -314,8 +332,13 @@ export async function saveUnifiedDashboardSettings(
 	dashboardDisplaySettings: JsonRecord,
 ): Promise<void> {
 	await enqueueSettingsWrite(async () => {
-		const record = await readSettingsRecordAsync() ?? {};
-		record.dashboardDisplaySettings = { ...dashboardDisplaySettings };
-		await writeSettingsRecordAsync(record);
+		const lock = await acquireFileLock(UNIFIED_SETTINGS_LOCK_PATH, SETTINGS_LOCK_OPTIONS);
+		try {
+			const record = (await readSettingsRecordAsync()) ?? {};
+			record.dashboardDisplaySettings = { ...dashboardDisplaySettings };
+			await writeSettingsRecordAsync(record);
+		} finally {
+			await lock.release();
+		}
 	});
 }
diff --git a/package-lock.json b/package-lock.json
index 93ee2ca..cf02555 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -23,6 +23,7 @@
       },
       "devDependencies": {
         "@codex-ai/sdk": "file:vendor/codex-ai-sdk",
+        "@cyclonedx/cyclonedx-npm": "4.2.0",
         "@fast-check/vitest": "^0.2.4",
         "@types/node": "^25.3.0",
         "@typescript-eslint/eslint-plugin": "^8.56.0",
@@ -112,6 +113,114 @@
       "resolved": "vendor/codex-ai-sdk",
       "link": true
     },
+    "node_modules/@cyclonedx/cyclonedx-npm": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/@cyclonedx/cyclonedx-npm/-/cyclonedx-npm-4.2.0.tgz",
+      "integrity": "sha512-TDGb85XzPMagN8WxIGgn24sCMdgQ51UdhwvaGmAIje/3P78+vyf2s9pAU0KMSDBVz3JQ66OpHaIDpR+dpRS1Ww==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
+        }
+      ],
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@cyclonedx/cyclonedx-library": "^10.0.0",
+        "commander": "^14.0.0",
+        "normalize-package-data": "^7.0.0 || ^8.0.0",
+        "packageurl-js": "^2.0.1",
+        "spdx-expression-parse": "^3.0.1 || ^4.0.0",
+        "xmlbuilder2": "^3.0.2 || ^4.0.3"
+      },
+      "bin": {
+        "cyclonedx-npm": "bin/cyclonedx-npm-cli.js"
+      },
+      "engines": {
+        "node": ">=20.18.0",
+        "npm": ">=9"
+      },
+      "optionalDependencies": {
+        "ajv": "^8.12.0",
+        "ajv-formats": "^3.0.1",
+        "ajv-formats-draft2019": "^1.6.1",
+        "libxmljs2": "^0.35||^0.37"
+      }
+    },
+    "node_modules/@cyclonedx/cyclonedx-npm/node_modules/@cyclonedx/cyclonedx-library": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/@cyclonedx/cyclonedx-library/-/cyclonedx-library-10.0.0.tgz",
+      "integrity": "sha512-xDXf2eqzeFHdjamj6oBV3duRSfrlmsJ5+2z9tXp7q5qxJP5Awmjf4ABSutS4qkVHHj7JzKFL/EM0V0Nihc7zPg==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "individual",
+          "url": "https://owasp.org/donate/?reponame=www-project-cyclonedx&title=OWASP+CycloneDX"
+        }
+      ],
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=20.18.0"
+      },
+      "peerDependencies": {
+        "ajv": "^8.12.0",
+        "ajv-formats": "^3.0.1",
+        "ajv-formats-draft2019": "^1.6.1",
+        "libxmljs2": "^0.35||^0.37",
+        "packageurl-js": "*",
+        "spdx-expression-parse": "*",
+        "xmlbuilder2": "^3.0.2||^4.0.0"
+      },
+      "peerDependenciesMeta": {
+        "ajv": {
+          "optional": true
+        },
+        "ajv-formats": {
+          "optional": true
+        },
+        "ajv-formats-draft2019": {
+          "optional": true
+        },
+        "libxmljs2": {
+          "optional": true
+        },
+        "packageurl-js": {
+          "optional": true
+        },
+        "spdx-expression-parse": {
+          "optional": true
+        },
+        "xmlbuilder2": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@cyclonedx/cyclonedx-npm/node_modules/ajv": {
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "fast-deep-equal": "^3.1.3",
+        "fast-uri": "^3.0.1",
+        "json-schema-traverse": "^1.0.0",
+        "require-from-string": "^2.0.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/@cyclonedx/cyclonedx-npm/node_modules/json-schema-traverse": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz",
+      "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/@esbuild/aix-ppc64": {
       "version": "0.27.2",
       "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.2.tgz",
@@ -723,6 +832,99 @@
         "url": "https://github.com/sponsors/nzakas"
       }
     },
+    "node_modules/@isaacs/cliui": {
+      "version": "8.0.2",
+      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
+      "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "string-width": "^5.1.2",
+        "string-width-cjs": "npm:string-width@^4.2.0",
+        "strip-ansi": "^7.0.1",
+        "strip-ansi-cjs": "npm:strip-ansi@^6.0.1",
+        "wrap-ansi": "^8.1.0",
+        "wrap-ansi-cjs": "npm:wrap-ansi@^7.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/@isaacs/cliui/node_modules/ansi-styles": {
+      "version": "6.2.3",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.3.tgz",
+      "integrity": "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/@isaacs/cliui/node_modules/emoji-regex": {
+      "version": "9.2.2",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-9.2.2.tgz",
+      "integrity": "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/@isaacs/cliui/node_modules/string-width": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-5.1.2.tgz",
+      "integrity": "sha512-HnLOCR3vjcY8beoNLtcjZ5/nxn2afmME6lhrDrebokqMap+XbeW8n9TXpPDOqdGK5qcI3oT0GKTW6wC7EMiVqA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "eastasianwidth": "^0.2.0",
+        "emoji-regex": "^9.2.2",
+        "strip-ansi": "^7.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@isaacs/cliui/node_modules/wrap-ansi": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-8.1.0.tgz",
+      "integrity": "sha512-si7QWI6zUMq56bESFvagtmzMdGOtoxfR+Sez11Mobfc7tm+VkUckk9bW2UeffTGVUbOksxmSw0AA2gs8g71NCQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "ansi-styles": "^6.1.0",
+        "string-width": "^5.0.1",
+        "strip-ansi": "^7.0.1"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
+      }
+    },
+    "node_modules/@isaacs/fs-minipass": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/@isaacs/fs-minipass/-/fs-minipass-4.0.1.tgz",
+      "integrity": "sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^7.0.4"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
     "node_modules/@jridgewell/resolve-uri": {
       "version": "3.1.2",
       "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
@@ -751,6 +953,90 @@
         "@jridgewell/sourcemap-codec": "^1.4.14"
       }
     },
+    "node_modules/@npmcli/agent": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/agent/-/agent-3.0.0.tgz",
+      "integrity": "sha512-S79NdEgDQd/NGCay6TCoVzXSj74skRZIKJcpJjC5lOq34SZzyI6MqtiiWoiVWoVrTcGjNeC4ipbh1VIHlpfF5Q==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "agent-base": "^7.1.0",
+        "http-proxy-agent": "^7.0.0",
+        "https-proxy-agent": "^7.0.1",
+        "lru-cache": "^10.0.1",
+        "socks-proxy-agent": "^8.0.3"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
+    "node_modules/@npmcli/fs": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/@npmcli/fs/-/fs-4.0.0.tgz",
+      "integrity": "sha512-/xGlezI6xfGO9NwuJlnwz/K14qD1kCSAGtacBHnGzeAIuJGazcp45KP5NuyARXoKb7cwulAGWVsbeSxdG/cb0Q==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "semver": "^7.3.5"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
+    "node_modules/@oozcitak/dom": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@oozcitak/dom/-/dom-2.0.2.tgz",
+      "integrity": "sha512-GjpKhkSYC3Mj4+lfwEyI1dqnsKTgwGy48ytZEhm4A/xnH/8z9M3ZVXKr/YGQi3uCLs1AEBS+x5T2JPiueEDW8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oozcitak/infra": "^2.0.2",
+        "@oozcitak/url": "^3.0.0",
+        "@oozcitak/util": "^10.0.0"
+      },
+      "engines": {
+        "node": ">=20.0"
+      }
+    },
+    "node_modules/@oozcitak/infra": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/@oozcitak/infra/-/infra-2.0.2.tgz",
+      "integrity": "sha512-2g+E7hoE2dgCz/APPOEK5s3rMhJvNxSMBrP+U+j1OWsIbtSpWxxlUjq1lU8RIsFJNYv7NMlnVsCuHcUzJW+8vA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oozcitak/util": "^10.0.0"
+      },
+      "engines": {
+        "node": ">=20.0"
+      }
+    },
+    "node_modules/@oozcitak/url": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@oozcitak/url/-/url-3.0.0.tgz",
+      "integrity": "sha512-ZKfET8Ak1wsLAiLWNfFkZc/BraDccuTJKR6svTYc7sVjbR+Iu0vtXdiDMY4o6jaFl5TW2TlS7jbLl4VovtAJWQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oozcitak/infra": "^2.0.2",
+        "@oozcitak/util": "^10.0.0"
+      },
+      "engines": {
+        "node": ">=20.0"
+      }
+    },
+    "node_modules/@oozcitak/util": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/@oozcitak/util/-/util-10.0.0.tgz",
+      "integrity": "sha512-hAX0pT/73190NLqBPPWSdBVGtbY6VOhWYK3qqHqtXQ1gK7kS2yz4+ivsN07hpJ6I3aeMtKP6J6npsEKOAzuTLA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=20.0"
+      }
+    },
     "node_modules/@openauthjs/openauth": {
       "version": "0.4.3",
       "resolved": "https://registry.npmjs.org/@openauthjs/openauth/-/openauth-0.4.3.tgz",
@@ -817,6 +1103,17 @@
       "license": "MIT",
       "peer": true
     },
+    "node_modules/@pkgjs/parseargs": {
+      "version": "0.11.0",
+      "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
+      "integrity": "sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=14"
+      }
+    },
     "node_modules/@polka/url": {
       "version": "1.0.0-next.29",
       "resolved": "https://registry.npmjs.org/@polka/url/-/url-1.0.0-next.29.tgz",
@@ -1666,6 +1963,17 @@
         "url": "https://opencollective.com/vitest"
       }
     },
+    "node_modules/abbrev": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-3.0.1.tgz",
+      "integrity": "sha512-AO2ac6pjRB3SJmGJo+v5/aK6Omggp6fsLrs6wN9bd35ulu4cCwaAU9+7ZhXjeqHVkaHThLuzH0nZr0YpCDhygg==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
     "node_modules/acorn": {
       "version": "8.16.0",
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
@@ -1689,6 +1997,17 @@
         "acorn": "^6.0.0 || ^7.0.0 || ^8.0.0"
       }
     },
+    "node_modules/agent-base": {
+      "version": "7.1.4",
+      "resolved": "https://registry.npmjs.org/agent-base/-/agent-base-7.1.4.tgz",
+      "integrity": "sha512-MnA+YT8fwfJPgBx3m60MNqakm30XOkyIoH1y6huTQvC0PwZG7ki8NacLBcrPbNoo8vEZy7Jpuk7+jMO+CUovTQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/ajv": {
       "version": "6.12.6",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz",
@@ -1706,6 +2025,68 @@
         "url": "https://github.com/sponsors/epoberezkin"
       }
     },
+    "node_modules/ajv-formats": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/ajv-formats/-/ajv-formats-3.0.1.tgz",
+      "integrity": "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "ajv": "^8.0.0"
+      },
+      "peerDependencies": {
+        "ajv": "^8.0.0"
+      },
+      "peerDependenciesMeta": {
+        "ajv": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/ajv-formats-draft2019": {
+      "version": "1.6.1",
+      "resolved": "https://registry.npmjs.org/ajv-formats-draft2019/-/ajv-formats-draft2019-1.6.1.tgz",
+      "integrity": "sha512-JQPvavpkWDvIsBp2Z33UkYCtXCSpW4HD3tAZ+oL4iEFOk9obQZffx0yANwECt6vzr6ET+7HN5czRyqXbnq/u0Q==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "punycode": "^2.1.1",
+        "schemes": "^1.4.0",
+        "smtp-address-parser": "^1.0.3",
+        "uri-js": "^4.4.1"
+      },
+      "peerDependencies": {
+        "ajv": "*"
+      }
+    },
+    "node_modules/ajv-formats/node_modules/ajv": {
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "fast-deep-equal": "^3.1.3",
+        "fast-uri": "^3.0.1",
+        "json-schema-traverse": "^1.0.0",
+        "require-from-string": "^2.0.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/ajv-formats/node_modules/json-schema-traverse": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz",
+      "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/ansi-escapes": {
       "version": "7.2.0",
       "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-7.2.0.tgz",
@@ -1735,6 +2116,23 @@
         "url": "https://github.com/chalk/ansi-regex?sponsor=1"
       }
     },
+    "node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
     "node_modules/arctic": {
       "version": "2.3.4",
       "resolved": "https://registry.npmjs.org/arctic/-/arctic-2.3.4.tgz",
@@ -1747,6 +2145,13 @@
         "@oslojs/jwt": "0.2.0"
       }
     },
+    "node_modules/argparse": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz",
+      "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==",
+      "dev": true,
+      "license": "Python-2.0"
+    },
     "node_modules/assertion-error": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
@@ -1785,15 +2190,61 @@
         "node": "20 || >=22"
       }
     },
-    "node_modules/brace-expansion": {
-      "version": "5.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz",
-      "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==",
+    "node_modules/base64-js": {
+      "version": "1.5.1",
+      "resolved": "https://registry.npmjs.org/base64-js/-/base64-js-1.5.1.tgz",
+      "integrity": "sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==",
       "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
       "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^4.0.2"
-      },
+      "optional": true
+    },
+    "node_modules/bindings": {
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz",
+      "integrity": "sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "file-uri-to-path": "1.0.0"
+      }
+    },
+    "node_modules/bl": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
+      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "buffer": "^5.5.0",
+        "inherits": "^2.0.4",
+        "readable-stream": "^3.4.0"
+      }
+    },
+    "node_modules/brace-expansion": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz",
+      "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^4.0.2"
+      },
       "engines": {
         "node": "20 || >=22"
       }
@@ -1811,6 +2262,57 @@
         "node": ">=8"
       }
     },
+    "node_modules/buffer": {
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "base64-js": "^1.3.1",
+        "ieee754": "^1.1.13"
+      }
+    },
+    "node_modules/cacache": {
+      "version": "19.0.1",
+      "resolved": "https://registry.npmjs.org/cacache/-/cacache-19.0.1.tgz",
+      "integrity": "sha512-hdsUxulXCi5STId78vRVYEtDAjq99ICAUktLTeTYsLoTE6Z8dS0c8pWNCxwdrk9YfJeobDZc2Y186hD/5ZQgFQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "@npmcli/fs": "^4.0.0",
+        "fs-minipass": "^3.0.0",
+        "glob": "^10.2.2",
+        "lru-cache": "^10.0.1",
+        "minipass": "^7.0.3",
+        "minipass-collect": "^2.0.1",
+        "minipass-flush": "^1.0.5",
+        "minipass-pipeline": "^1.2.4",
+        "p-map": "^7.0.2",
+        "ssri": "^12.0.0",
+        "tar": "^7.4.3",
+        "unique-filename": "^4.0.0"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
     "node_modules/chai": {
       "version": "6.2.2",
       "resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
@@ -1821,6 +2323,17 @@
         "node": ">=18"
       }
     },
+    "node_modules/chownr": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-3.0.0.tgz",
+      "integrity": "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true,
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/cli-cursor": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-5.0.0.tgz",
@@ -1854,6 +2367,28 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/color-convert": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
+      "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "color-name": "~1.1.4"
+      },
+      "engines": {
+        "node": ">=7.0.0"
+      }
+    },
+    "node_modules/color-name": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
+      "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/colorette": {
       "version": "2.0.20",
       "resolved": "https://registry.npmjs.org/colorette/-/colorette-2.0.20.tgz",
@@ -1904,6 +2439,34 @@
         }
       }
     },
+    "node_modules/decompress-response": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/decompress-response/-/decompress-response-6.0.0.tgz",
+      "integrity": "sha512-aW35yZM6Bb/4oJlZncMH2LCoZtJXTRxES17vE3hoRiowU2kWHaJKFkSBDnDR+cm9J+9QhXmREyIfv0pji9ejCQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "mimic-response": "^3.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/deep-extend": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/deep-extend/-/deep-extend-0.6.0.tgz",
+      "integrity": "sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
     "node_modules/deep-is": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
@@ -1911,6 +2474,33 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "optional": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/discontinuous-range": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/discontinuous-range/-/discontinuous-range-1.0.0.tgz",
+      "integrity": "sha512-c68LpLbO+7kP/b1Hr1qs8/BJ09F5khZGTxqxZuhzxpmwJKOgRFHJWIb9/KmqnqHhLdO55aOxFH/EGBvUQbL/RQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/eastasianwidth": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
+      "integrity": "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/emoji-regex": {
       "version": "10.6.0",
       "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-10.6.0.tgz",
@@ -1918,6 +2508,39 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/encoding": {
+      "version": "0.1.13",
+      "resolved": "https://registry.npmjs.org/encoding/-/encoding-0.1.13.tgz",
+      "integrity": "sha512-ETBauow1T35Y/WZMkio9jiM0Z5xjHHmJ4XmjZOq1l/dXz3lr2sRn87nJy20RupqSh1F2m3HHPSp8ShIPQJrJ3A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "iconv-lite": "^0.6.2"
+      }
+    },
+    "node_modules/end-of-stream": {
+      "version": "1.4.5",
+      "resolved": "https://registry.npmjs.org/end-of-stream/-/end-of-stream-1.4.5.tgz",
+      "integrity": "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "once": "^1.4.0"
+      }
+    },
+    "node_modules/env-paths": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/env-paths/-/env-paths-2.2.1.tgz",
+      "integrity": "sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/environment": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/environment/-/environment-1.1.0.tgz",
@@ -1931,6 +2554,14 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/err-code": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/err-code/-/err-code-2.0.3.tgz",
+      "integrity": "sha512-2bmlRpNKBxT/CRmPOlyISQpNj+qSeYvcym/uT0Jx2bMOlKLtSy1ZmLuVxSEKKyor/N5yhvp/ZiG1oE3DEYMSFA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/es-module-lexer": {
       "version": "1.7.0",
       "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
@@ -2198,6 +2829,17 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/expand-template": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/expand-template/-/expand-template-2.0.3.tgz",
+      "integrity": "sha512-XYfuKMvj4O35f/pOXLObndIRvyQ+/+6AhODh+OKWj9S9498pHHn/IMszH+gt0fBCRWMNfk1ZSp5x3AifmnI2vg==",
+      "dev": true,
+      "license": "(MIT OR WTFPL)",
+      "optional": true,
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/expect-type": {
       "version": "1.3.0",
       "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
@@ -2208,6 +2850,22 @@
         "node": ">=12.0.0"
       }
     },
+    "node_modules/exponential-backoff": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/exponential-backoff/-/exponential-backoff-3.1.3.tgz",
+      "integrity": "sha512-ZgEeZXj30q+I0EN+CbSSpIyPaJ5HVQD18Z1m+u1FXbAeT94mr1zw50q4q6jiiC447Nl/YTcIYSAftiGqetwXCA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "optional": true
+    },
+    "node_modules/extend": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
+      "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/fast-check": {
       "version": "4.5.3",
       "resolved": "https://registry.npmjs.org/fast-check/-/fast-check-4.5.3.tgz",
@@ -2252,6 +2910,24 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/fast-uri": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
+      "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fastify"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fastify"
+        }
+      ],
+      "license": "BSD-3-Clause",
+      "optional": true
+    },
     "node_modules/fflate": {
       "version": "0.8.2",
       "resolved": "https://registry.npmjs.org/fflate/-/fflate-0.8.2.tgz",
@@ -2272,6 +2948,14 @@
         "node": ">=16.0.0"
       }
     },
+    "node_modules/file-uri-to-path": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz",
+      "integrity": "sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/fill-range": {
       "version": "7.1.1",
       "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
@@ -2323,6 +3007,46 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/foreground-child": {
+      "version": "3.3.1",
+      "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.1.tgz",
+      "integrity": "sha512-gIXjKqtFuWEgzFRJA9WCQeSJLZDjgJUOMCMzxtvFq/37KojM1BFGufqsCy0r4qSQmYLsZYMeyRqzIWOMup03sw==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "cross-spawn": "^7.0.6",
+        "signal-exit": "^4.0.1"
+      },
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/fs-constants": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/fs-constants/-/fs-constants-1.0.0.tgz",
+      "integrity": "sha512-y6OAwoSIf7FyjMIv94u+b5rdheZEjzR63GTyZJm5qh4Bi+2YgwLCcI/fPFZkL5PSixOt6ZNKm+w+Hfp/Bciwow==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/fs-minipass": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/fs-minipass/-/fs-minipass-3.0.3.tgz",
+      "integrity": "sha512-XUBA9XClHbnJWSfBzjkm6RvPsyg3sryZt06BEQoXcF7EK/xpGaQYJgQKDJSUH5SGZ76Y7pFx1QBnXz09rU5Fbw==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^7.0.3"
+      },
+      "engines": {
+        "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
+      }
+    },
     "node_modules/fsevents": {
       "version": "2.3.3",
       "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
@@ -2351,6 +3075,37 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/github-from-package": {
+      "version": "0.0.0",
+      "resolved": "https://registry.npmjs.org/github-from-package/-/github-from-package-0.0.0.tgz",
+      "integrity": "sha512-SyHy3T1v2NUXn29OsWdxmK6RwHD+vkj3v8en8AOBZ1wBQ/hCAQ5bAQTD02kW4W9tUp/3Qh6J8r9EvntiyCmOOw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/glob": {
+      "version": "10.5.0",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
+      "integrity": "sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==",
+      "deprecated": "Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "foreground-child": "^3.1.0",
+        "jackspeak": "^3.1.2",
+        "minimatch": "^9.0.4",
+        "minipass": "^7.1.2",
+        "package-json-from-dist": "^1.0.0",
+        "path-scurry": "^1.11.1"
+      },
+      "bin": {
+        "glob": "dist/esm/bin.mjs"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/glob-parent": {
       "version": "6.0.2",
       "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-6.0.2.tgz",
@@ -2364,6 +3119,14 @@
         "node": ">=10.13.0"
       }
     },
+    "node_modules/graceful-fs": {
+      "version": "4.2.11",
+      "resolved": "https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.11.tgz",
+      "integrity": "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
     "node_modules/has-flag": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
@@ -2383,6 +3146,29 @@
         "node": ">=16.9.0"
       }
     },
+    "node_modules/hosted-git-info": {
+      "version": "9.0.2",
+      "resolved": "https://registry.npmjs.org/hosted-git-info/-/hosted-git-info-9.0.2.tgz",
+      "integrity": "sha512-M422h7o/BR3rmCQ8UHi7cyyMqKltdP9Uo+J2fXK+RSAY+wTcKOIRyhTuKv4qn+DJf3g+PL890AzId5KZpX+CBg==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "lru-cache": "^11.1.0"
+      },
+      "engines": {
+        "node": "^20.17.0 || >=22.9.0"
+      }
+    },
+    "node_modules/hosted-git-info/node_modules/lru-cache": {
+      "version": "11.2.6",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.6.tgz",
+      "integrity": "sha512-ESL2CrkS/2wTPfuend7Zhkzo2u0daGJ/A2VucJOgQ/C48S/zB8MMeMHSGKYpXhIjbPxfuezITkaBH1wqv00DDQ==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "engines": {
+        "node": "20 || >=22"
+      }
+    },
     "node_modules/html-escaper": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
@@ -2390,6 +3176,44 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/http-cache-semantics": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.2.0.tgz",
+      "integrity": "sha512-dTxcvPXqPvXBQpq5dUr6mEMJX4oIEFv6bwom3FDwKRDsuIjjJGANqhBuoAn9c1RQJIdAKav33ED65E2ys+87QQ==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "optional": true
+    },
+    "node_modules/http-proxy-agent": {
+      "version": "7.0.2",
+      "resolved": "https://registry.npmjs.org/http-proxy-agent/-/http-proxy-agent-7.0.2.tgz",
+      "integrity": "sha512-T1gkAiYYDWYx3V5Bmyu7HcfcvL7mUrTWiM6yOfa3PIphViJ/gFPbvidQ+veqSOHci/PxBcDabeUNCzpOODJZig==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "agent-base": "^7.1.0",
+        "debug": "^4.3.4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
+    "node_modules/https-proxy-agent": {
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-7.0.6.tgz",
+      "integrity": "sha512-vK9P5/iUfdl95AI+JVyUuIcVtd4ofvtrOr3HNtM2yxC9bnMbEdp3x01OhQNnjb8IJYi38VlTE3mBXwcfvywuSw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "agent-base": "^7.1.2",
+        "debug": "4"
+      },
+      "engines": {
+        "node": ">= 14"
+      }
+    },
     "node_modules/husky": {
       "version": "9.1.7",
       "resolved": "https://registry.npmjs.org/husky/-/husky-9.1.7.tgz",
@@ -2406,6 +3230,42 @@
         "url": "https://github.com/sponsors/typicode"
       }
     },
+    "node_modules/iconv-lite": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.6.3.tgz",
+      "integrity": "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/ieee754": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/ieee754/-/ieee754-1.2.1.tgz",
+      "integrity": "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "BSD-3-Clause",
+      "optional": true
+    },
     "node_modules/ignore": {
       "version": "7.0.5",
       "resolved": "https://registry.npmjs.org/ignore/-/ignore-7.0.5.tgz",
@@ -2426,8 +3286,35 @@
         "node": ">=0.8.19"
       }
     },
-    "node_modules/is-extglob": {
-      "version": "2.1.1",
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
+    "node_modules/ini": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/ini/-/ini-1.3.8.tgz",
+      "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
+    "node_modules/ip-address": {
+      "version": "10.1.0",
+      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz",
+      "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">= 12"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
       "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
       "dev": true,
@@ -2521,6 +3408,23 @@
         "node": ">=8"
       }
     },
+    "node_modules/jackspeak": {
+      "version": "3.4.3",
+      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
+      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true,
+      "dependencies": {
+        "@isaacs/cliui": "^8.0.2"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      },
+      "optionalDependencies": {
+        "@pkgjs/parseargs": "^0.11.0"
+      }
+    },
     "node_modules/jose": {
       "version": "5.9.6",
       "resolved": "https://registry.npmjs.org/jose/-/jose-5.9.6.tgz",
@@ -2537,6 +3441,19 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/js-yaml": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz",
+      "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "argparse": "^2.0.1"
+      },
+      "bin": {
+        "js-yaml": "bin/js-yaml.js"
+      }
+    },
     "node_modules/json-buffer": {
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz",
@@ -2582,6 +3499,24 @@
         "node": ">= 0.8.0"
       }
     },
+    "node_modules/libxmljs2": {
+      "version": "0.37.0",
+      "resolved": "https://registry.npmjs.org/libxmljs2/-/libxmljs2-0.37.0.tgz",
+      "integrity": "sha512-Xb78V8GZouoZFrq8cCwx7+G3WYOcJG0xb3YUbweSyE4z2EIrQCZMr3Ye/dHn4mESs6YxUMeQeUZm5IXg+iLHog==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "bindings": "~1.5.0",
+        "nan": "~2.22.2",
+        "node-gyp": "^11.2.0",
+        "prebuild-install": "^7.1.3"
+      },
+      "engines": {
+        "node": ">=22"
+      }
+    },
     "node_modules/lint-staged": {
       "version": "16.2.7",
       "resolved": "https://registry.npmjs.org/lint-staged/-/lint-staged-16.2.7.tgz",
@@ -2661,6 +3596,14 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/lru-cache": {
+      "version": "10.4.3",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
+      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
     "node_modules/magic-string": {
       "version": "0.30.21",
       "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
@@ -2699,6 +3642,30 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/make-fetch-happen": {
+      "version": "14.0.3",
+      "resolved": "https://registry.npmjs.org/make-fetch-happen/-/make-fetch-happen-14.0.3.tgz",
+      "integrity": "sha512-QMjGbFTP0blj97EeidG5hk/QhKQ3T4ICckQGLgz38QF7Vgbk6e6FTARN8KhKxyBbWn8R0HU+bnw8aSoFPD4qtQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "@npmcli/agent": "^3.0.0",
+        "cacache": "^19.0.1",
+        "http-cache-semantics": "^4.1.1",
+        "minipass": "^7.0.2",
+        "minipass-fetch": "^4.0.0",
+        "minipass-flush": "^1.0.5",
+        "minipass-pipeline": "^1.2.4",
+        "negotiator": "^1.0.0",
+        "proc-log": "^5.0.0",
+        "promise-retry": "^2.0.1",
+        "ssri": "^12.0.0"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
     "node_modules/micromatch": {
       "version": "4.0.8",
       "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
@@ -2726,6 +3693,20 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/mimic-response": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/mimic-response/-/mimic-response-3.1.0.tgz",
+      "integrity": "sha512-z0yWI+4FDrrweS8Zmt4Ej5HdJmky15+L2e6Wgn3+iK5fWzb6T3fhNFq2+MeTRb064c6Wr4N/wv0DzQTjNzHNGQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/minimatch": {
       "version": "10.2.4",
       "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.4.tgz",
@@ -2742,6 +3723,199 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/minimist": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/minipass": {
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.3.tgz",
+      "integrity": "sha512-tEBHqDnIoM/1rXME1zgka9g6Q2lcoCkxHLuc7ODJ5BxbP5d4c2Z5cGgtXAku59200Cx7diuHTOYfSBD8n6mm8A==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true,
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      }
+    },
+    "node_modules/minipass-collect": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/minipass-collect/-/minipass-collect-2.0.1.tgz",
+      "integrity": "sha512-D7V8PO9oaz7PWGLbCACuI1qEOsq7UKfLotx/C0Aet43fCUB/wfQ7DYeq2oR/svFJGYDHPr38SHATeaj/ZoKHKw==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^7.0.3"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      }
+    },
+    "node_modules/minipass-fetch": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/minipass-fetch/-/minipass-fetch-4.0.1.tgz",
+      "integrity": "sha512-j7U11C5HXigVuutxebFadoYBbd7VSdZWggSe64NVdvWNBqGAiXPL2QVCehjmw7lY1oF9gOllYbORh+hiNgfPgQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^7.0.3",
+        "minipass-sized": "^1.0.3",
+        "minizlib": "^3.0.1"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      },
+      "optionalDependencies": {
+        "encoding": "^0.1.13"
+      }
+    },
+    "node_modules/minipass-flush": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/minipass-flush/-/minipass-flush-1.0.5.tgz",
+      "integrity": "sha512-JmQSYYpPUqX5Jyn1mXaRwOda1uQ8HP5KAT/oDSLCzt1BYRhQU0/hDtsB1ufZfEEzMZ9aAVmsBw8+FWsIXlClWw==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/minipass-flush/node_modules/minipass": {
+      "version": "3.3.6",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
+      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "yallist": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/minipass-flush/node_modules/yallist": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
+    "node_modules/minipass-pipeline": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/minipass-pipeline/-/minipass-pipeline-1.2.4.tgz",
+      "integrity": "sha512-xuIq7cIOt09RPRJ19gdi4b+RiNvDFYe5JH+ggNvBqGqpQXcru3PcRmOZuHBKWK1Txf9+cQ+HMVN4d6z46LZP7A==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/minipass-pipeline/node_modules/minipass": {
+      "version": "3.3.6",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
+      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "yallist": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/minipass-pipeline/node_modules/yallist": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
+    "node_modules/minipass-sized": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/minipass-sized/-/minipass-sized-1.0.3.tgz",
+      "integrity": "sha512-MbkQQ2CTiBMlA2Dm/5cY+9SWFEN8pzzOXi6rlM5Xxq0Yqbda5ZQy9sU75a673FE9ZK0Zsbr6Y5iP6u9nktfg2g==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/minipass-sized/node_modules/minipass": {
+      "version": "3.3.6",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-3.3.6.tgz",
+      "integrity": "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "yallist": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/minipass-sized/node_modules/yallist": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-4.0.0.tgz",
+      "integrity": "sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
+    "node_modules/minizlib": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/minizlib/-/minizlib-3.1.0.tgz",
+      "integrity": "sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^7.1.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/mkdirp-classic": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz",
+      "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/moo": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/moo/-/moo-0.5.3.tgz",
+      "integrity": "sha512-m2fmM2dDm7GZQsY7KK2cme8agi+AAljILjQnof7p1ZMDe6dQ4bdnSMx0cPppudoeNv5hEFQirN6u+O4fDE0IWA==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "optional": true
+    },
     "node_modules/mrmime": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/mrmime/-/mrmime-2.0.1.tgz",
@@ -2759,6 +3933,14 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/nan": {
+      "version": "2.22.2",
+      "resolved": "https://registry.npmjs.org/nan/-/nan-2.22.2.tgz",
+      "integrity": "sha512-DANghxFkS1plDdRsX0X9pm0Z6SJNN6gBdtXfanwoZ8hooC5gosGFSBGRYHUVPz1asKA/kMRqDRdHrluZ61SpBQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/nano-spawn": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/nano-spawn/-/nano-spawn-2.0.0.tgz",
@@ -2791,6 +3973,14 @@
         "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
       }
     },
+    "node_modules/napi-build-utils": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/napi-build-utils/-/napi-build-utils-2.0.0.tgz",
+      "integrity": "sha512-GEbrYkbfF7MoNaoh2iGG84Mnf/WZfB0GdGEsM8wz7Expx/LlWf5U8t9nvJKXSp3qr5IsEbK04cBGhol/KwOsWA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
     "node_modules/natural-compare": {
       "version": "1.4.0",
       "resolved": "https://registry.npmjs.org/natural-compare/-/natural-compare-1.4.0.tgz",
@@ -2798,6 +3988,149 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/nearley": {
+      "version": "2.20.1",
+      "resolved": "https://registry.npmjs.org/nearley/-/nearley-2.20.1.tgz",
+      "integrity": "sha512-+Mc8UaAebFzgV+KpI5n7DasuuQCHA89dmwm7JXw3TV43ukfNQ9DnBH3Mdb2g/I4Fdxc26pwimBWvjIw0UAILSQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "commander": "^2.19.0",
+        "moo": "^0.5.0",
+        "railroad-diagrams": "^1.0.0",
+        "randexp": "0.4.6"
+      },
+      "bin": {
+        "nearley-railroad": "bin/nearley-railroad.js",
+        "nearley-test": "bin/nearley-test.js",
+        "nearley-unparse": "bin/nearley-unparse.js",
+        "nearleyc": "bin/nearleyc.js"
+      },
+      "funding": {
+        "type": "individual",
+        "url": "https://nearley.js.org/#give-to-nearley"
+      }
+    },
+    "node_modules/nearley/node_modules/commander": {
+      "version": "2.20.3",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
+      "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/negotiator": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz",
+      "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/node-abi": {
+      "version": "3.87.0",
+      "resolved": "https://registry.npmjs.org/node-abi/-/node-abi-3.87.0.tgz",
+      "integrity": "sha512-+CGM1L1CgmtheLcBuleyYOn7NWPVu0s0EJH2C4puxgEZb9h8QpR9G2dBfZJOAUhi7VQxuBPMd0hiISWcTyiYyQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "semver": "^7.3.5"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/node-gyp": {
+      "version": "11.5.0",
+      "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-11.5.0.tgz",
+      "integrity": "sha512-ra7Kvlhxn5V9Slyus0ygMa2h+UqExPqUIkfk7Pc8QTLT956JLSy51uWFwHtIYy0vI8cB4BDhc/S03+880My/LQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "env-paths": "^2.2.0",
+        "exponential-backoff": "^3.1.1",
+        "graceful-fs": "^4.2.6",
+        "make-fetch-happen": "^14.0.3",
+        "nopt": "^8.0.0",
+        "proc-log": "^5.0.0",
+        "semver": "^7.3.5",
+        "tar": "^7.4.3",
+        "tinyglobby": "^0.2.12",
+        "which": "^5.0.0"
+      },
+      "bin": {
+        "node-gyp": "bin/node-gyp.js"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
+    "node_modules/node-gyp/node_modules/isexe": {
+      "version": "3.1.5",
+      "resolved": "https://registry.npmjs.org/isexe/-/isexe-3.1.5.tgz",
+      "integrity": "sha512-6B3tLtFqtQS4ekarvLVMZ+X+VlvQekbe4taUkf/rhVO3d/h0M2rfARm/pXLcPEsjjMsFgrFgSrhQIxcSVrBz8w==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true,
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/node-gyp/node_modules/which": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/which/-/which-5.0.0.tgz",
+      "integrity": "sha512-JEdGzHwwkrbWoGOlIHqQ5gtprKGOenpDHpxE9zVR1bWbOtYRyPPHMe9FaP6x61CmNaTThSkb0DAJte5jD+DmzQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "isexe": "^3.1.1"
+      },
+      "bin": {
+        "node-which": "bin/which.js"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
+    "node_modules/nopt": {
+      "version": "8.1.0",
+      "resolved": "https://registry.npmjs.org/nopt/-/nopt-8.1.0.tgz",
+      "integrity": "sha512-ieGu42u/Qsa4TFktmaKEwM6MQH0pOWnaB3htzh0JRtx84+Mebc0cbZYN5bC+6WTZ4+77xrL9Pn5m7CV6VIkV7A==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "abbrev": "^3.0.0"
+      },
+      "bin": {
+        "nopt": "bin/nopt.js"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
+    "node_modules/normalize-package-data": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-package-data/-/normalize-package-data-8.0.0.tgz",
+      "integrity": "sha512-RWk+PI433eESQ7ounYxIp67CYuVsS1uYSonX3kA6ps/3LWfjVQa/ptEg6Y3T6uAMq1mWpX9PQ+qx+QaHpsc7gQ==",
+      "dev": true,
+      "license": "BSD-2-Clause",
+      "dependencies": {
+        "hosted-git-info": "^9.0.0",
+        "semver": "^7.3.5",
+        "validate-npm-package-license": "^3.0.4"
+      },
+      "engines": {
+        "node": "^20.17.0 || >=22.9.0"
+      }
+    },
     "node_modules/obug": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.1.tgz",
@@ -2809,6 +4142,17 @@
       ],
       "license": "MIT"
     },
+    "node_modules/once": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/once/-/once-1.4.0.tgz",
+      "integrity": "sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "wrappy": "1"
+      }
+    },
     "node_modules/onetime": {
       "version": "7.0.0",
       "resolved": "https://registry.npmjs.org/onetime/-/onetime-7.0.0.tgz",
@@ -2875,6 +4219,35 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/p-map": {
+      "version": "7.0.4",
+      "resolved": "https://registry.npmjs.org/p-map/-/p-map-7.0.4.tgz",
+      "integrity": "sha512-tkAQEw8ysMzmkhgw8k+1U/iPhWNhykKnSk4Rd5zLoPJCuJaGRPo6YposrZgaxHKzDHdDWWZvE/Sk7hsL2X/CpQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/package-json-from-dist": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
+      "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true
+    },
+    "node_modules/packageurl-js": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/packageurl-js/-/packageurl-js-2.0.1.tgz",
+      "integrity": "sha512-N5ixXjzTy4QDQH0Q9YFjqIWd6zH6936Djpl2m9QNFmDv5Fum8q8BjkpAcHNMzOFE0IwQrFhJWex3AN6kS0OSwg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/path-exists": {
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
@@ -2895,6 +4268,24 @@
         "node": ">=8"
       }
     },
+    "node_modules/path-scurry": {
+      "version": "1.11.1",
+      "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-1.11.1.tgz",
+      "integrity": "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true,
+      "dependencies": {
+        "lru-cache": "^10.2.0",
+        "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/pathe": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/pathe/-/pathe-2.0.3.tgz",
@@ -2964,6 +4355,35 @@
         "node": "^10 || ^12 || >=14"
       }
     },
+    "node_modules/prebuild-install": {
+      "version": "7.1.3",
+      "resolved": "https://registry.npmjs.org/prebuild-install/-/prebuild-install-7.1.3.tgz",
+      "integrity": "sha512-8Mf2cbV7x1cXPUILADGI3wuhfqWvtiLA1iclTDbFRZkgRQS0NqsPZphna9V+HyTEadheuPmjaJMsbzKQFOzLug==",
+      "deprecated": "No longer maintained. Please contact the author of the relevant native addon; alternatives are available.",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "detect-libc": "^2.0.0",
+        "expand-template": "^2.0.3",
+        "github-from-package": "0.0.0",
+        "minimist": "^1.2.3",
+        "mkdirp-classic": "^0.5.3",
+        "napi-build-utils": "^2.0.0",
+        "node-abi": "^3.3.0",
+        "pump": "^3.0.0",
+        "rc": "^1.2.7",
+        "simple-get": "^4.0.0",
+        "tar-fs": "^2.0.0",
+        "tunnel-agent": "^0.6.0"
+      },
+      "bin": {
+        "prebuild-install": "bin.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
     "node_modules/prelude-ls": {
       "version": "1.2.1",
       "resolved": "https://registry.npmjs.org/prelude-ls/-/prelude-ls-1.2.1.tgz",
@@ -2974,6 +4394,44 @@
         "node": ">= 0.8.0"
       }
     },
+    "node_modules/proc-log": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/proc-log/-/proc-log-5.0.0.tgz",
+      "integrity": "sha512-Azwzvl90HaF0aCz1JrDdXQykFakSSNPaPoiZ9fm5qJIMHioDZEi7OAdRwSm6rSoPtY3Qutnm3L7ogmg3dc+wbQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
+    "node_modules/promise-retry": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/promise-retry/-/promise-retry-2.0.1.tgz",
+      "integrity": "sha512-y+WKFlBR8BGXnsNlIHFGPZmyDf3DFMoLhaflAnyZgV6rG6xu+JwesTo2Q9R6XwYmtmwAFCkAk3e35jEdoeh/3g==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "err-code": "^2.0.2",
+        "retry": "^0.12.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/pump": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.4.tgz",
+      "integrity": "sha512-VS7sjc6KR7e1ukRFhQSY5LM2uBWAUPiOPa/A3mkKmiMwSmRFUITt0xuj+/lesgnCv+dPIEYlkzrcyXgquIHMcA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "end-of-stream": "^1.1.0",
+        "once": "^1.3.1"
+      }
+    },
     "node_modules/punycode": {
       "version": "2.3.1",
       "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
@@ -3001,6 +4459,73 @@
       ],
       "license": "MIT"
     },
+    "node_modules/railroad-diagrams": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/railroad-diagrams/-/railroad-diagrams-1.0.0.tgz",
+      "integrity": "sha512-cz93DjNeLY0idrCNOH6PviZGRN9GJhsdm9hpn1YCS879fj4W+x5IFJhhkRZcwVgMmFF7R82UA/7Oh+R8lLZg6A==",
+      "dev": true,
+      "license": "CC0-1.0",
+      "optional": true
+    },
+    "node_modules/randexp": {
+      "version": "0.4.6",
+      "resolved": "https://registry.npmjs.org/randexp/-/randexp-0.4.6.tgz",
+      "integrity": "sha512-80WNmd9DA0tmZrw9qQa62GPPWfuXJknrmVmLcxvq4uZBdYqb1wYoKTmnlGUchvVWe0XiLupYkBoXVOxz3C8DYQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "discontinuous-range": "1.0.0",
+        "ret": "~0.1.10"
+      },
+      "engines": {
+        "node": ">=0.12"
+      }
+    },
+    "node_modules/rc": {
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/rc/-/rc-1.2.8.tgz",
+      "integrity": "sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==",
+      "dev": true,
+      "license": "(BSD-2-Clause OR MIT OR Apache-2.0)",
+      "optional": true,
+      "dependencies": {
+        "deep-extend": "^0.6.0",
+        "ini": "~1.3.0",
+        "minimist": "^1.2.0",
+        "strip-json-comments": "~2.0.1"
+      },
+      "bin": {
+        "rc": "cli.js"
+      }
+    },
+    "node_modules/readable-stream": {
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
+      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/restore-cursor": {
       "version": "5.1.0",
       "resolved": "https://registry.npmjs.org/restore-cursor/-/restore-cursor-5.1.0.tgz",
@@ -3018,6 +4543,28 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/ret": {
+      "version": "0.1.15",
+      "resolved": "https://registry.npmjs.org/ret/-/ret-0.1.15.tgz",
+      "integrity": "sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=0.12"
+      }
+    },
+    "node_modules/retry": {
+      "version": "0.12.0",
+      "resolved": "https://registry.npmjs.org/retry/-/retry-0.12.0.tgz",
+      "integrity": "sha512-9LkiTwjUh6rT555DtE9rTX+BKByPfrMzEAtnlEtdEwr3Nkffwiihqe2bWADg+OQRjt9gl6ICdmB/ZFDCGAtSow==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">= 4"
+      }
+    },
     "node_modules/rfdc": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/rfdc/-/rfdc-1.4.1.tgz",
@@ -3070,6 +4617,47 @@
         "fsevents": "~2.3.2"
       }
     },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/schemes": {
+      "version": "1.4.0",
+      "resolved": "https://registry.npmjs.org/schemes/-/schemes-1.4.0.tgz",
+      "integrity": "sha512-ImFy9FbCsQlVgnE3TCWmLPCFnVzx0lHL/l+umHplDqAKd0dzFpnS6lFZIpagBlYhKwzVmlV36ec0Y1XTu8JBAQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "extend": "^3.0.0"
+      }
+    },
     "node_modules/semver": {
       "version": "7.7.3",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz",
@@ -3126,6 +4714,55 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
+    "node_modules/simple-concat": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/simple-concat/-/simple-concat-1.0.1.tgz",
+      "integrity": "sha512-cSFtAPtRhljv69IK0hTVZQ+OfE9nePi/rtJmw5UjHeVyVroEqJXP1sFztKUy1qU+xvz3u/sfYJLa947b7nAN2Q==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/simple-get": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/simple-get/-/simple-get-4.0.1.tgz",
+      "integrity": "sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "decompress-response": "^6.0.0",
+        "once": "^1.3.1",
+        "simple-concat": "^1.0.0"
+      }
+    },
     "node_modules/sirv": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/sirv/-/sirv-3.0.2.tgz",
@@ -3152,23 +4789,81 @@
         "is-fullwidth-code-point": "^5.0.0"
       },
       "engines": {
-        "node": ">=18"
-      },
-      "funding": {
-        "url": "https://github.com/chalk/slice-ansi?sponsor=1"
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/slice-ansi?sponsor=1"
+      }
+    },
+    "node_modules/slice-ansi/node_modules/ansi-styles": {
+      "version": "6.2.3",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.3.tgz",
+      "integrity": "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/smart-buffer": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz",
+      "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">= 6.0.0",
+        "npm": ">= 3.0.0"
+      }
+    },
+    "node_modules/smtp-address-parser": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/smtp-address-parser/-/smtp-address-parser-1.1.0.tgz",
+      "integrity": "sha512-Gz11jbNU0plrReU9Sj7fmshSBxxJ9ShdD2q4ktHIHo/rpTH6lFyQoYHYKINPJtPe8aHFnsbtW46Ls0tCCBsIZg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "nearley": "^2.20.1"
+      },
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
+    "node_modules/socks": {
+      "version": "2.8.7",
+      "resolved": "https://registry.npmjs.org/socks/-/socks-2.8.7.tgz",
+      "integrity": "sha512-HLpt+uLy/pxB+bum/9DzAgiKS8CX1EvbWxI4zlmgGCExImLdiad2iCwXT5Z4c9c3Eq8rP2318mPW2c+QbtjK8A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "ip-address": "^10.0.1",
+        "smart-buffer": "^4.2.0"
+      },
+      "engines": {
+        "node": ">= 10.0.0",
+        "npm": ">= 3.0.0"
       }
     },
-    "node_modules/slice-ansi/node_modules/ansi-styles": {
-      "version": "6.2.3",
-      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.3.tgz",
-      "integrity": "sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==",
+    "node_modules/socks-proxy-agent": {
+      "version": "8.0.5",
+      "resolved": "https://registry.npmjs.org/socks-proxy-agent/-/socks-proxy-agent-8.0.5.tgz",
+      "integrity": "sha512-HehCEsotFqbPW9sJ8WVYB6UbmIMv7kUUORIF2Nncq4VQvBfNBLibW9YZR5dlYCSUhwcD628pRllm7n+E+YTzJw==",
       "dev": true,
       "license": "MIT",
-      "engines": {
-        "node": ">=12"
+      "optional": true,
+      "dependencies": {
+        "agent-base": "^7.1.2",
+        "debug": "^4.3.4",
+        "socks": "^2.8.3"
       },
-      "funding": {
-        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      "engines": {
+        "node": ">= 14"
       }
     },
     "node_modules/source-map-js": {
@@ -3181,6 +4876,67 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/spdx-correct": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/spdx-correct/-/spdx-correct-3.2.0.tgz",
+      "integrity": "sha512-kN9dJbvnySHULIluDHy32WHRUu3Og7B9sbY7tsFLctQkIqnMh3hErYgdMjTYuqmcXX+lK5T1lnUt3G7zNswmZA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "spdx-expression-parse": "^3.0.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "node_modules/spdx-correct/node_modules/spdx-expression-parse": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz",
+      "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "spdx-exceptions": "^2.1.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "node_modules/spdx-exceptions": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/spdx-exceptions/-/spdx-exceptions-2.5.0.tgz",
+      "integrity": "sha512-PiU42r+xO4UbUS1buo3LPJkjlO7430Xn5SVAhdpzzsPHsjbYVflnnFdATgabnLude+Cqu25p6N+g2lw/PFsa4w==",
+      "dev": true,
+      "license": "CC-BY-3.0"
+    },
+    "node_modules/spdx-expression-parse": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-4.0.0.tgz",
+      "integrity": "sha512-Clya5JIij/7C6bRR22+tnGXbc4VKlibKSVj2iHvVeX5iMW7s1SIQlqu699JkODJJIhh/pUu8L0/VLh8xflD+LQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "spdx-exceptions": "^2.1.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
+    "node_modules/spdx-license-ids": {
+      "version": "3.0.23",
+      "resolved": "https://registry.npmjs.org/spdx-license-ids/-/spdx-license-ids-3.0.23.tgz",
+      "integrity": "sha512-CWLcCCH7VLu13TgOH+r8p1O/Znwhqv/dbb6lqWy67G+pT1kHmeD/+V36AVb/vq8QMIQwVShJ6Ssl5FPh0fuSdw==",
+      "dev": true,
+      "license": "CC0-1.0"
+    },
+    "node_modules/ssri": {
+      "version": "12.0.0",
+      "resolved": "https://registry.npmjs.org/ssri/-/ssri-12.0.0.tgz",
+      "integrity": "sha512-S7iGNosepx9RadX82oimUkvr0Ct7IjJbEbs4mJcTxst8um95J3sDYU1RBEOvdu6oL1Wek2ODI5i4MAw+dZ6cAQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "minipass": "^7.0.3"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
     "node_modules/stackback": {
       "version": "0.0.2",
       "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
@@ -3195,6 +4951,17 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/string_decoder": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "safe-buffer": "~5.2.0"
+      }
+    },
     "node_modules/string-argv": {
       "version": "0.3.2",
       "resolved": "https://registry.npmjs.org/string-argv/-/string-argv-0.3.2.tgz",
@@ -3222,6 +4989,67 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/string-width-cjs": {
+      "name": "string-width",
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/string-width-cjs/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/string-width-cjs/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/string-width-cjs/node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/string-width-cjs/node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/strip-ansi": {
       "version": "7.1.2",
       "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-7.1.2.tgz",
@@ -3238,6 +5066,43 @@
         "url": "https://github.com/chalk/strip-ansi?sponsor=1"
       }
     },
+    "node_modules/strip-ansi-cjs": {
+      "name": "strip-ansi",
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-ansi-cjs/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/strip-json-comments": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-2.0.1.tgz",
+      "integrity": "sha512-4gB8na07fecVVkOI6Rs4e7T6NOTki5EmL7TUduTs6bu3EdnSycntVJ4re8kgZA+wx9IueI2Y11bfbgwtzuE0KQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/supports-color": {
       "version": "7.2.0",
       "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
@@ -3251,6 +5116,64 @@
         "node": ">=8"
       }
     },
+    "node_modules/tar": {
+      "version": "7.5.10",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.10.tgz",
+      "integrity": "sha512-8mOPs1//5q/rlkNSPcCegA6hiHJYDmSLEI8aMH/CdSQJNWztHC9WHNam5zdQlfpTwB9Xp7IBEsHfV5LKMJGVAw==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true,
+      "dependencies": {
+        "@isaacs/fs-minipass": "^4.0.0",
+        "chownr": "^3.0.0",
+        "minipass": "^7.1.2",
+        "minizlib": "^3.1.0",
+        "yallist": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/tar-fs": {
+      "version": "2.1.4",
+      "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-2.1.4.tgz",
+      "integrity": "sha512-mDAjwmZdh7LTT6pNleZ05Yt65HC3E+NiQzl672vQG38jIrehtJk/J3mNwIg+vShQPcLF/LV7CMnDW6vjj6sfYQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "chownr": "^1.1.1",
+        "mkdirp-classic": "^0.5.2",
+        "pump": "^3.0.0",
+        "tar-stream": "^2.1.4"
+      }
+    },
+    "node_modules/tar-fs/node_modules/chownr": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/chownr/-/chownr-1.1.4.tgz",
+      "integrity": "sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
+    "node_modules/tar-stream": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/tar-stream/-/tar-stream-2.2.0.tgz",
+      "integrity": "sha512-ujeqbceABgwMZxEJnk2HDY2DlnUZ+9oEcb1KzTVfYHio0UE6dG71n60d8D2I4qNvleWrrXpmjpt7vZeF1LnMZQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "bl": "^4.0.3",
+        "end-of-stream": "^1.4.1",
+        "fs-constants": "^1.0.0",
+        "inherits": "^2.0.3",
+        "readable-stream": "^3.1.1"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/tinybench": {
       "version": "2.9.0",
       "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
@@ -3362,6 +5285,20 @@
         "typescript": ">=4.8.4"
       }
     },
+    "node_modules/tunnel-agent": {
+      "version": "0.6.0",
+      "resolved": "https://registry.npmjs.org/tunnel-agent/-/tunnel-agent-0.6.0.tgz",
+      "integrity": "sha512-McnNiV1l8RYeY8tBgEpuodCC1mLUdbSN+CYBL7kJsJNInOP8UjDDEwdk6Mw60vdLLrr5NHKZhMAOSrR2NZuQ+w==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "optional": true,
+      "dependencies": {
+        "safe-buffer": "^5.0.1"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/type-check": {
       "version": "0.4.0",
       "resolved": "https://registry.npmjs.org/type-check/-/type-check-0.4.0.tgz",
@@ -3409,6 +5346,34 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/unique-filename": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/unique-filename/-/unique-filename-4.0.0.tgz",
+      "integrity": "sha512-XSnEewXmQ+veP7xX2dS5Q4yZAvO40cBN2MWkJ7D/6sW4Dg6wYBNwM1Vrnz1FhH5AdeLIlUXRI9e28z1YZi71NQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "unique-slug": "^5.0.0"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
+    "node_modules/unique-slug": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/unique-slug/-/unique-slug-5.0.0.tgz",
+      "integrity": "sha512-9OdaqO5kwqR+1kVgHAhsp5vPNU0hnxRa26rBFNfNgM7M6pNtgzeBn3s/xbyCQL3dcjzOatcef6UUHpB/6MaETg==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true,
+      "dependencies": {
+        "imurmurhash": "^0.1.4"
+      },
+      "engines": {
+        "node": "^18.17.0 || >=20.5.0"
+      }
+    },
     "node_modules/uri-js": {
       "version": "4.4.1",
       "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
@@ -3419,6 +5384,36 @@
         "punycode": "^2.1.0"
       }
     },
+    "node_modules/util-deprecate": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
+      "integrity": "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/validate-npm-package-license": {
+      "version": "3.0.4",
+      "resolved": "https://registry.npmjs.org/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz",
+      "integrity": "sha512-DpKm2Ui/xN7/HQKCtpZxoRWBhZ9Z0kqtygG8XCgNQ8ZlDnxuQmWhj566j8fN4Cu3/JmbhsDo7fcAJq4s9h27Ew==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "spdx-correct": "^3.0.0",
+        "spdx-expression-parse": "^3.0.0"
+      }
+    },
+    "node_modules/validate-npm-package-license/node_modules/spdx-expression-parse": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/spdx-expression-parse/-/spdx-expression-parse-3.0.1.tgz",
+      "integrity": "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "spdx-exceptions": "^2.1.0",
+        "spdx-license-ids": "^3.0.0"
+      }
+    },
     "node_modules/vite": {
       "version": "7.3.1",
       "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.1.tgz",
@@ -3677,6 +5672,86 @@
         "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
       }
     },
+    "node_modules/wrap-ansi-cjs": {
+      "name": "wrap-ansi",
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz",
+      "integrity": "sha512-YVGIj2kamLSTxw6NsZjoBxfSwsn0ycdesmc4p+Q21c5zPuZ1pl+NfxVdxPtdHvmNVOQ6XSYG4AUtyt/Fi7D16Q==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/wrap-ansi?sponsor=1"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/is-fullwidth-code-point": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
+      "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/wrap-ansi-cjs/node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/wrap-ansi/node_modules/ansi-styles": {
       "version": "6.2.3",
       "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-6.2.3.tgz",
@@ -3708,6 +5783,41 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/wrappy": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/wrappy/-/wrappy-1.0.2.tgz",
+      "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
+      "dev": true,
+      "license": "ISC",
+      "optional": true
+    },
+    "node_modules/xmlbuilder2": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/xmlbuilder2/-/xmlbuilder2-4.0.3.tgz",
+      "integrity": "sha512-bx8Q1STctnNaaDymWnkfQLKofs0mGNN7rLLapJlGuV3VlvegD7Ls4ggMjE3aUSWItCCzU0PEv45lI87iSigiCA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oozcitak/dom": "^2.0.2",
+        "@oozcitak/infra": "^2.0.2",
+        "@oozcitak/util": "^10.0.0",
+        "js-yaml": "^4.1.1"
+      },
+      "engines": {
+        "node": ">=20.0"
+      }
+    },
+    "node_modules/yallist": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/yallist/-/yallist-5.0.0.tgz",
+      "integrity": "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "optional": true,
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/yaml": {
       "version": "2.8.2",
       "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.2.tgz",
diff --git a/package.json b/package.json
index 6f84897..dc74c3e 100644
--- a/package.json
+++ b/package.json
@@ -65,6 +65,8 @@
     "audit:all": "npm audit --audit-level=high",
     "audit:dev:allowlist": "node scripts/audit-dev-allowlist.js",
     "audit:ci": "npm run audit:prod && npm run audit:dev:allowlist",
+    "license:check": "node scripts/license-policy-check.js",
+    "sbom": "cyclonedx-npm --output-file sbom.cdx.json --omit dev",
     "prepublishOnly": "npm run build",
     "prepare": "husky"
   },
@@ -102,6 +104,7 @@
   "devDependencies": {
     "@fast-check/vitest": "^0.2.4",
     "@codex-ai/sdk": "file:vendor/codex-ai-sdk",
+    "@cyclonedx/cyclonedx-npm": "4.2.0",
     "@types/node": "^25.3.0",
     "@typescript-eslint/eslint-plugin": "^8.56.0",
     "@typescript-eslint/parser": "^8.56.0",
diff --git a/scripts/license-policy-check.js b/scripts/license-policy-check.js
new file mode 100644
index 0000000..e2f0f56
--- /dev/null
+++ b/scripts/license-policy-check.js
@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+
+import { readFileSync } from "node:fs";
+import { resolve } from "node:path";
+
+const lockPath = resolve(process.cwd(), "package-lock.json");
+const denyList = (process.env.CODEX_LICENSE_DENYLIST ?? "GPL-2.0,GPL-3.0,AGPL-3.0")
+	.split(",")
+	.map((value) => value.trim().toUpperCase())
+	.filter((value) => value.length > 0);
+const failOnUnknown = process.env.CODEX_LICENSE_FAIL_ON_UNKNOWN === "1";
+
+const packageLock = JSON.parse(readFileSync(lockPath, "utf8"));
+const packages = packageLock.packages ?? {};
+
+const violations = [];
+const unknown = [];
+
+function normalizeLicenseValue(value) {
+	if (typeof value === "string") {
+		return value;
+	}
+	if (value && typeof value === "object" && typeof value.type === "string") {
+		return value.type;
+	}
+	return "";
+}
+
+function extractRawLicense(record) {
+	const direct = normalizeLicenseValue(record.license);
+	if (direct) return direct;
+
+	if (typeof record.licenses === "string") {
+		return record.licenses;
+	}
+	if (Array.isArray(record.licenses)) {
+		const values = record.licenses
+			.map((entry) => normalizeLicenseValue(entry))
+			.filter((entry) => entry.length > 0);
+		if (values.length > 0) {
+			return values.join(" OR ");
+		}
+	}
+
+	return "";
+}
+
+function extractLicenseTokens(rawLicense) {
+	return rawLicense
+		.toUpperCase()
+		.split(/[^A-Z0-9.-]+/g)
+		.map((token) => token.trim())
+		.filter(
+			(token) =>
+				token.length > 0 &&
+				token !== "AND" &&
+				token !== "OR" &&
+				token !== "WITH",
+		);
+}
+
+for (const [packagePath, metadata] of Object.entries(packages)) {
+	if (!metadata || typeof metadata !== "object") continue;
+	if (packagePath === "") continue;
+	const record = metadata;
+	const name = typeof record.name === "string" ? record.name : packagePath;
+	const version = typeof record.version === "string" ? record.version : "0.0.0";
+	const rawLicense = extractRawLicense(record);
+	const normalized = rawLicense.trim().toUpperCase();
+	if (!normalized) {
+		unknown.push(`${name}@${version}`);
+		continue;
+	}
+	const licenseTokens = new Set(extractLicenseTokens(normalized));
+	for (const denied of denyList) {
+		if (licenseTokens.has(denied)) {
+			violations.push(`${name}@${version} (${rawLicense})`);
+			break;
+		}
+	}
+}
+
+if (violations.length > 0) {
+	console.error("License policy violations detected:");
+	for (const entry of violations) {
+		console.error(`- ${entry}`);
+	}
+	process.exit(1);
+}
+
+if (unknown.length > 0) {
+	console.warn(`Packages with unknown license: ${unknown.length}`);
+	for (const entry of unknown.slice(0, 20)) {
+		console.warn(`- ${entry}`);
+	}
+	if (unknown.length > 20) {
+		console.warn(`- ...and ${unknown.length - 20} more`);
+	}
+	if (failOnUnknown) {
+		process.exit(1);
+	}
+}
+
+console.log("License policy check passed.");
diff --git a/test/accounts.test.ts b/test/accounts.test.ts
index 8328909..e7ae3db 100644
--- a/test/accounts.test.ts
+++ b/test/accounts.test.ts
@@ -1168,6 +1168,69 @@ describe("AccountManager", () => {
 
       expect(mockSaveAccounts).toHaveBeenCalledTimes(2);
     });
+
+    it("still schedules a new save after previous pending save rejects", async () => {
+      const { saveAccounts } = await import("../lib/storage.js");
+      const mockSaveAccounts = vi.mocked(saveAccounts);
+      mockSaveAccounts.mockClear();
+      mockSaveAccounts.mockResolvedValue(undefined);
+
+      const now = Date.now();
+      const stored = {
+        version: 3 as const,
+        activeIndex: 0,
+        accounts: [{ refreshToken: "token-1", addedAt: now, lastUsed: now }],
+      };
+
+      const manager = new AccountManager(undefined, stored);
+      const rejectedPending = Promise.reject(new Error("first-save-failed"));
+      Object.defineProperty(manager, "pendingSave", {
+        value: rejectedPending,
+        writable: true,
+        configurable: true,
+      });
+      await rejectedPending.catch(() => undefined);
+
+      manager.saveToDiskDebounced(50);
+      await vi.advanceTimersByTimeAsync(80);
+      await manager.flushPendingSave();
+
+      expect(mockSaveAccounts).toHaveBeenCalledTimes(1);
+    });
+
+    it("retries transient EBUSY save failures in debounced persistence", async () => {
+      const { saveAccounts } = await import("../lib/storage.js");
+      const mockSaveAccounts = vi.mocked(saveAccounts);
+      mockSaveAccounts.mockClear();
+
+      let attempts = 0;
+      mockSaveAccounts.mockImplementation(async () => {
+        attempts += 1;
+        if (attempts < 3) {
+          const error = Object.assign(new Error("EBUSY"), {
+            code: "EBUSY",
+          }) as NodeJS.ErrnoException;
+          throw error;
+        }
+      });
+
+      const now = Date.now();
+      const stored = {
+        version: 3 as const,
+        activeIndex: 0,
+        accounts: [{ refreshToken: "token-1", addedAt: now, lastUsed: now }],
+      };
+
+      const manager = new AccountManager(undefined, stored);
+      manager.saveToDiskDebounced(50);
+
+      await vi.advanceTimersByTimeAsync(60);
+      await vi.runAllTimersAsync();
+      await manager.flushPendingSave();
+
+      expect(mockSaveAccounts).toHaveBeenCalledTimes(3);
+      expect(attempts).toBe(3);
+    });
   });
 
   describe("constructor edge cases", () => {
diff --git a/test/audit.test.ts b/test/audit.test.ts
index b040381..4c5c616 100644
--- a/test/audit.test.ts
+++ b/test/audit.test.ts
@@ -251,6 +251,7 @@ describe("Audit logging", () => {
 		it("should have all expected actions", () => {
 			expect(AuditAction.ACCOUNT_ADD).toBe("account.add");
 			expect(AuditAction.AUTH_LOGIN).toBe("auth.login");
+			expect(AuditAction.AUTH_BREAK_GLASS).toBe("auth.break_glass");
 			expect(AuditAction.CONFIG_LOAD).toBe("config.load");
 			expect(AuditAction.REQUEST_START).toBe("request.start");
 			expect(AuditAction.CIRCUIT_OPEN).toBe("circuit.open");
diff --git a/test/authorization.test.ts b/test/authorization.test.ts
new file mode 100644
index 0000000..f00d03f
--- /dev/null
+++ b/test/authorization.test.ts
@@ -0,0 +1,235 @@
+import { promises as fs } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { describe, expect, it } from "vitest";
+import { AuditAction, configureAudit, getAuditConfig } from "../lib/audit.js";
+import { authorizeAction, getAuthorizationRole } from "../lib/authorization.js";
+
+const RETRYABLE_REMOVE_CODES = new Set(["EBUSY", "EPERM", "ENOTEMPTY"]);
+const AUTH_ENV_KEYS = [
+	"CODEX_AUTH_ROLE",
+	"CODEX_AUTH_BREAK_GLASS",
+	"CODEX_AUTH_ABAC_READ_ONLY",
+	"CODEX_AUTH_ABAC_DENY_ACTIONS",
+	"CODEX_AUTH_ABAC_DENY_COMMANDS",
+	"CODEX_AUTH_ABAC_REQUIRE_INTERACTIVE",
+	"CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY",
+] as const;
+
+function captureAuthEnv(): Record<(typeof AUTH_ENV_KEYS)[number], string | undefined> {
+	const snapshot = {} as Record<(typeof AUTH_ENV_KEYS)[number], string | undefined>;
+	for (const key of AUTH_ENV_KEYS) {
+		snapshot[key] = process.env[key];
+	}
+	return snapshot;
+}
+
+function restoreAuthEnv(snapshot: Record<(typeof AUTH_ENV_KEYS)[number], string | undefined>): void {
+	for (const key of AUTH_ENV_KEYS) {
+		const previous = snapshot[key];
+		if (previous === undefined) {
+			delete process.env[key];
+		} else {
+			process.env[key] = previous;
+		}
+	}
+}
+
+async function removeWithRetry(
+	targetPath: string,
+	options: { recursive?: boolean; force?: boolean },
+): Promise<void> {
+	for (let attempt = 0; attempt < 6; attempt += 1) {
+		try {
+			await fs.rm(targetPath, options);
+			return;
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (code === "ENOENT") return;
+			if (!code || !RETRYABLE_REMOVE_CODES.has(code) || attempt === 5) {
+				throw error;
+			}
+			await new Promise((resolve) => setTimeout(resolve, 25 * 2 ** attempt));
+		}
+	}
+}
+
+describe("authorization", () => {
+	it("defaults to admin role", () => {
+		const previous = captureAuthEnv();
+		try {
+			for (const key of AUTH_ENV_KEYS) {
+				delete process.env[key];
+			}
+			expect(getAuthorizationRole()).toBe("admin");
+			expect(authorizeAction("secrets:rotate").allowed).toBe(true);
+		} finally {
+			restoreAuthEnv(previous);
+		}
+	});
+
+	it("denies write actions for viewer role", () => {
+		const previous = captureAuthEnv();
+		try {
+			for (const key of AUTH_ENV_KEYS) {
+				delete process.env[key];
+			}
+			process.env.CODEX_AUTH_ROLE = "viewer";
+			const auth = authorizeAction("accounts:write");
+			expect(auth.allowed).toBe(false);
+			expect(auth.role).toBe("viewer");
+			expect(auth.reason).toContain("accounts:write");
+		} finally {
+			restoreAuthEnv(previous);
+		}
+	});
+
+	it("fails closed to viewer for invalid CODEX_AUTH_ROLE values", () => {
+		const previousRole = process.env.CODEX_AUTH_ROLE;
+		try {
+			process.env.CODEX_AUTH_ROLE = "super-admin-typo";
+			expect(getAuthorizationRole()).toBe("viewer");
+			const auth = authorizeAction("secrets:rotate");
+			expect(auth.allowed).toBe(false);
+			expect(auth.role).toBe("viewer");
+		} finally {
+			if (previousRole === undefined) {
+				delete process.env.CODEX_AUTH_ROLE;
+			} else {
+				process.env.CODEX_AUTH_ROLE = previousRole;
+			}
+		}
+	});
+
+	it("allows all actions when break-glass is enabled and audits the bypass", async () => {
+		const previous = captureAuthEnv();
+		const previousAuditConfig = getAuditConfig();
+		const auditDir = await fs.mkdtemp(join(tmpdir(), "codex-auth-audit-"));
+		try {
+			configureAudit({
+				enabled: true,
+				logDir: auditDir,
+				maxFileSizeBytes: 1024 * 1024,
+				maxFiles: 2,
+			});
+			for (const key of AUTH_ENV_KEYS) {
+				delete process.env[key];
+			}
+			process.env.CODEX_AUTH_ROLE = "viewer";
+			process.env.CODEX_AUTH_BREAK_GLASS = "1";
+			const result = authorizeAction("secrets:rotate");
+			expect(result).toEqual({
+				allowed: true,
+				role: "viewer",
+			});
+
+			const logPath = join(auditDir, "audit.log");
+			const content = await fs.readFile(logPath, "utf8");
+			const entries = content
+				.trim()
+				.split("\n")
+				.map((line) => JSON.parse(line) as {
+					action?: string;
+					resource?: string;
+					metadata?: { role?: string; breakGlass?: boolean };
+				});
+			const breakGlassEntry = entries.find((entry) => entry.action === AuditAction.AUTH_BREAK_GLASS);
+			expect(breakGlassEntry).toBeDefined();
+			expect(breakGlassEntry?.resource).toBe("secrets:rotate");
+			expect(breakGlassEntry?.metadata?.role).toBe("viewer");
+			expect(breakGlassEntry?.metadata?.breakGlass).toBe(true);
+		} finally {
+			configureAudit(previousAuditConfig);
+			await removeWithRetry(auditDir, { recursive: true, force: true });
+			restoreAuthEnv(previous);
+		}
+	});
+
+	it("applies ABAC read-only mode to deny mutating actions", () => {
+		const previous = captureAuthEnv();
+		try {
+			process.env.CODEX_AUTH_ROLE = "admin";
+			process.env.CODEX_AUTH_ABAC_READ_ONLY = "1";
+			const denied = authorizeAction("accounts:write", {
+				command: "login",
+				interactive: true,
+			});
+			expect(denied.allowed).toBe(false);
+			expect(denied.reason).toContain("read-only");
+
+			const allowed = authorizeAction("accounts:read", {
+				command: "status",
+				interactive: false,
+			});
+			expect(allowed.allowed).toBe(true);
+		} finally {
+			restoreAuthEnv(previous);
+		}
+	});
+
+	it("applies ABAC denied actions and denied commands", () => {
+		const previous = captureAuthEnv();
+		try {
+			process.env.CODEX_AUTH_ROLE = "admin";
+			process.env.CODEX_AUTH_ABAC_DENY_ACTIONS = "secrets:rotate,accounts:repair";
+			process.env.CODEX_AUTH_ABAC_DENY_COMMANDS = "rotate-secrets,doctor";
+
+			const deniedByAction = authorizeAction("secrets:rotate", {
+				command: "rotate-secrets",
+				interactive: true,
+				idempotencyKeyPresent: true,
+			});
+			expect(deniedByAction.allowed).toBe(false);
+			expect(deniedByAction.reason).toContain("denies action");
+
+			process.env.CODEX_AUTH_ABAC_DENY_ACTIONS = "";
+			const deniedByCommand = authorizeAction("accounts:repair", {
+				command: "doctor",
+				interactive: true,
+			});
+			expect(deniedByCommand.allowed).toBe(false);
+			expect(deniedByCommand.reason).toContain("denies command");
+		} finally {
+			restoreAuthEnv(previous);
+		}
+	});
+
+	it("applies ABAC interactive and idempotency-key requirements", () => {
+		const previous = captureAuthEnv();
+		try {
+			process.env.CODEX_AUTH_ROLE = "admin";
+			process.env.CODEX_AUTH_ABAC_REQUIRE_INTERACTIVE = "accounts:write";
+			process.env.CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY = "secrets:rotate";
+
+			const nonInteractiveDenied = authorizeAction("accounts:write", {
+				command: "login",
+				interactive: false,
+			});
+			expect(nonInteractiveDenied.allowed).toBe(false);
+			expect(nonInteractiveDenied.reason).toContain("interactive terminal");
+
+			const interactiveAllowed = authorizeAction("accounts:write", {
+				command: "login",
+				interactive: true,
+			});
+			expect(interactiveAllowed.allowed).toBe(true);
+
+			const missingIdempotencyDenied = authorizeAction("secrets:rotate", {
+				command: "rotate-secrets",
+				interactive: true,
+				idempotencyKeyPresent: false,
+			});
+			expect(missingIdempotencyDenied.allowed).toBe(false);
+			expect(missingIdempotencyDenied.reason).toContain("idempotency key");
+
+			const idempotencyAllowed = authorizeAction("secrets:rotate", {
+				command: "rotate-secrets",
+				interactive: true,
+				idempotencyKeyPresent: true,
+			});
+			expect(idempotencyAllowed.allowed).toBe(true);
+		} finally {
+			restoreAuthEnv(previous);
+		}
+	});
+});
diff --git a/test/background-jobs.test.ts b/test/background-jobs.test.ts
new file mode 100644
index 0000000..8eec048
--- /dev/null
+++ b/test/background-jobs.test.ts
@@ -0,0 +1,201 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { promises as fs } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+const RETRYABLE_REMOVE_CODES = new Set(["EBUSY", "EPERM", "ENOTEMPTY"]);
+
+async function removeWithRetry(
+	targetPath: string,
+	options: { recursive?: boolean; force?: boolean },
+): Promise<void> {
+	for (let attempt = 0; attempt < 6; attempt += 1) {
+		try {
+			await fs.rm(targetPath, options);
+			return;
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (code === "ENOENT") return;
+			if (!code || !RETRYABLE_REMOVE_CODES.has(code) || attempt === 5) {
+				throw error;
+			}
+			await new Promise((resolve) => setTimeout(resolve, 25 * 2 ** attempt));
+		}
+	}
+}
+
+describe("background jobs", () => {
+	let tempDir: string;
+	let originalDir: string | undefined;
+
+	beforeEach(async () => {
+		originalDir = process.env.CODEX_MULTI_AUTH_DIR;
+		tempDir = await fs.mkdtemp(join(tmpdir(), "codex-bg-jobs-"));
+		process.env.CODEX_MULTI_AUTH_DIR = tempDir;
+		vi.resetModules();
+	});
+
+	afterEach(async () => {
+		if (originalDir === undefined) {
+			delete process.env.CODEX_MULTI_AUTH_DIR;
+		} else {
+			process.env.CODEX_MULTI_AUTH_DIR = originalDir;
+		}
+		await removeWithRetry(tempDir, { recursive: true, force: true });
+	});
+
+	it("retries and succeeds before exhausting attempts", async () => {
+		const { runBackgroundJobWithRetry, getBackgroundJobDlqPath } =
+			await import("../lib/background-jobs.js");
+		let attempts = 0;
+		const result = await runBackgroundJobWithRetry({
+			name: "test.retry-success",
+			task: async () => {
+				attempts += 1;
+				if (attempts < 3) {
+					const error = new Error("busy") as NodeJS.ErrnoException;
+					error.code = "EBUSY";
+					throw error;
+				}
+				return "ok";
+			},
+			maxAttempts: 4,
+			baseDelayMs: 1,
+			maxDelayMs: 2,
+		});
+
+		expect(result).toBe("ok");
+		expect(attempts).toBe(3);
+		await expect(fs.stat(getBackgroundJobDlqPath())).rejects.toMatchObject({ code: "ENOENT" });
+	});
+
+	it("retries and succeeds on transient 429 rate-limit failures", async () => {
+		const { runBackgroundJobWithRetry, getBackgroundJobDlqPath } =
+			await import("../lib/background-jobs.js");
+		let attempts = 0;
+		const result = await runBackgroundJobWithRetry({
+			name: "test.retry-429-success",
+			task: async () => {
+				attempts += 1;
+				if (attempts < 3) {
+					const error = Object.assign(new Error("rate limited"), { status: 429 });
+					throw error;
+				}
+				return "ok";
+			},
+			maxAttempts: 4,
+			baseDelayMs: 1,
+			maxDelayMs: 2,
+		});
+
+		expect(result).toBe("ok");
+		expect(attempts).toBe(3);
+		await expect(fs.stat(getBackgroundJobDlqPath())).rejects.toMatchObject({ code: "ENOENT" });
+	});
+
+	it("writes a redacted dead-letter entry after retry exhaustion", async () => {
+		const { runBackgroundJobWithRetry, getBackgroundJobDlqPath } =
+			await import("../lib/background-jobs.js");
+		await expect(
+			runBackgroundJobWithRetry({
+				name: "test.retry-fail",
+				task: async () => {
+					const error = new Error("still locked") as NodeJS.ErrnoException;
+					error.code = "EPERM";
+					throw error;
+				},
+				context: {
+					email: "person@example.com",
+					accessToken: "sensitive-token",
+					note: "keep-visible",
+				},
+				maxAttempts: 2,
+				baseDelayMs: 1,
+				maxDelayMs: 2,
+			}),
+		).rejects.toThrow("still locked");
+
+		const dlqContent = await fs.readFile(getBackgroundJobDlqPath(), "utf8");
+		const lines = dlqContent.trim().split("\n");
+		expect(lines).toHaveLength(1);
+		const entry = JSON.parse(lines[0] ?? "{}") as {
+			job: string;
+			attempts: number;
+			context?: Record<string, unknown>;
+		};
+		expect(entry.job).toBe("test.retry-fail");
+		expect(entry.attempts).toBe(2);
+		expect(entry.context).toEqual({
+			email: "***REDACTED***",
+			accessToken: "***REDACTED***",
+			note: "keep-visible",
+		});
+	});
+
+	it("writes dead-letter after exhausting retries on 429 errors", async () => {
+		const { runBackgroundJobWithRetry, getBackgroundJobDlqPath } =
+			await import("../lib/background-jobs.js");
+		let attempts = 0;
+		await expect(
+			runBackgroundJobWithRetry({
+				name: "test.retry-429-fail",
+				task: async () => {
+					attempts += 1;
+					const error = Object.assign(new Error("rate limited"), { statusCode: 429 });
+					throw error;
+				},
+				maxAttempts: 3,
+				baseDelayMs: 1,
+				maxDelayMs: 2,
+			}),
+		).rejects.toThrow("rate limited");
+		expect(attempts).toBe(3);
+
+		const content = await fs.readFile(getBackgroundJobDlqPath(), "utf8");
+		const lines = content.trim().split("\n");
+		expect(lines).toHaveLength(1);
+		const entry = JSON.parse(lines[0] ?? "{}") as { job?: string; attempts?: number };
+		expect(entry.job).toBe("test.retry-429-fail");
+		expect(entry.attempts).toBe(3);
+	});
+
+	it("redacts sensitive error text in dead-letter entries and warning logs", async () => {
+		vi.resetModules();
+		const warnMock = vi.fn();
+		vi.doMock("../lib/logger.js", () => ({
+			logWarn: warnMock,
+		}));
+		try {
+			const { runBackgroundJobWithRetry, getBackgroundJobDlqPath } =
+				await import("../lib/background-jobs.js");
+			await expect(
+				runBackgroundJobWithRetry({
+					name: "test.retry-sensitive-error",
+					task: async () => {
+						throw new Error(
+							"network failed for person@example.com Bearer sk_test_123 refresh_token=rt_456",
+						);
+					},
+					maxAttempts: 1,
+				}),
+			).rejects.toThrow("person@example.com");
+
+			const content = await fs.readFile(getBackgroundJobDlqPath(), "utf8");
+			const lines = content.trim().split("\n");
+			expect(lines).toHaveLength(1);
+			const entry = JSON.parse(lines[0] ?? "{}") as { error?: string };
+			expect(entry.error).toContain("***REDACTED***");
+			expect(entry.error).not.toContain("person@example.com");
+			expect(entry.error).not.toContain("sk_test_123");
+			expect(entry.error).not.toContain("rt_456");
+
+			const warningPayloads = warnMock.mock.calls.map((args) => args[1]);
+			const serializedWarnings = JSON.stringify(warningPayloads);
+			expect(serializedWarnings).not.toContain("person@example.com");
+			expect(serializedWarnings).not.toContain("sk_test_123");
+			expect(serializedWarnings).not.toContain("rt_456");
+		} finally {
+			vi.doUnmock("../lib/logger.js");
+		}
+	});
+});
diff --git a/test/codex-manager-cli.test.ts b/test/codex-manager-cli.test.ts
index 27261cd..0809f56 100644
--- a/test/codex-manager-cli.test.ts
+++ b/test/codex-manager-cli.test.ts
@@ -18,6 +18,10 @@ const saveQuotaCacheMock = vi.fn();
 const loadPluginConfigMock = vi.fn();
 const savePluginConfigMock = vi.fn();
 const selectMock = vi.fn();
+const rotateStoredSecretEncryptionMock = vi.fn();
+const checkAndRecordIdempotencyKeyMock = vi.fn();
+const markIdempotencySucceededMock = vi.fn();
+const clearIdempotencyOnFailureMock = vi.fn();
 
 vi.mock("../lib/logger.js", () => ({
 	createLogger: vi.fn(() => ({
@@ -80,6 +84,13 @@ vi.mock("../lib/storage.js", () => ({
 	saveFlaggedAccounts: saveFlaggedAccountsMock,
 	setStoragePath: setStoragePathMock,
 	getStoragePath: getStoragePathMock,
+	rotateStoredSecretEncryption: rotateStoredSecretEncryptionMock,
+}));
+
+vi.mock("../lib/idempotency.js", () => ({
+	checkAndRecordIdempotencyKey: checkAndRecordIdempotencyKeyMock,
+	markIdempotencySucceeded: markIdempotencySucceededMock,
+	clearIdempotencyOnFailure: clearIdempotencyOnFailureMock,
 }));
 
 vi.mock("../lib/refresh-queue.js", () => ({
@@ -198,6 +209,10 @@ describe("codex manager cli commands", () => {
 		loadPluginConfigMock.mockReset();
 		savePluginConfigMock.mockReset();
 		selectMock.mockReset();
+		rotateStoredSecretEncryptionMock.mockReset();
+		checkAndRecordIdempotencyKeyMock.mockReset();
+		markIdempotencySucceededMock.mockReset();
+		clearIdempotencyOnFailureMock.mockReset();
 		fetchCodexQuotaSnapshotMock.mockResolvedValue({
 			status: 200,
 			model: "gpt-5-codex",
@@ -227,6 +242,7 @@ describe("codex manager cli commands", () => {
 		loadPluginConfigMock.mockReturnValue({});
 		savePluginConfigMock.mockResolvedValue(undefined);
 		selectMock.mockResolvedValue(undefined);
+		checkAndRecordIdempotencyKeyMock.mockResolvedValue({ replayed: false });
 		restoreTTYDescriptors();
 		setStoragePathMock.mockReset();
 		getStoragePathMock.mockReturnValue("/mock/openai-codex-accounts.json");
@@ -2001,4 +2017,271 @@ describe("codex manager cli commands", () => {
 		expect(saveDashboardDisplaySettingsMock).not.toHaveBeenCalled();
 		expect(savePluginConfigMock).not.toHaveBeenCalled();
 	});
+
+	it("supports paginated json output for list command", async () => {
+		const now = Date.now();
+		loadAccountsMock.mockResolvedValue({
+			version: 3,
+			activeIndex: 0,
+			activeIndexByFamily: { codex: 0 },
+			accounts: [
+				{
+					email: "one@example.com",
+					accountId: "acc_one",
+					refreshToken: "refresh-one",
+					addedAt: now - 2_000,
+					lastUsed: now - 2_000,
+					enabled: true,
+				},
+				{
+					email: "two@example.com",
+					accountId: "acc_two",
+					refreshToken: "refresh-two",
+					addedAt: now - 1_000,
+					lastUsed: now - 1_000,
+					enabled: true,
+				},
+			],
+		});
+
+		const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+		try {
+			const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+			const firstExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"list",
+				"--json",
+				"--page-size",
+				"1",
+			]);
+			expect(firstExitCode).toBe(0);
+			const firstPayload = JSON.parse(String(logSpy.mock.calls[0]?.[0])) as {
+				schemaVersion: number;
+				accounts: Array<{ email: string }>;
+				pagination: {
+					cursor: string | null;
+					nextCursor: string | null;
+					hasMore: boolean;
+					pageSize: number;
+				};
+			};
+			expect(typeof firstPayload.schemaVersion).toBe("number");
+			expect(firstPayload.pagination.cursor).toBeNull();
+			expect(firstPayload.pagination.pageSize).toBe(1);
+			expect(firstPayload.accounts).toHaveLength(1);
+			expect(firstPayload.accounts[0]?.email).toBe("one@example.com");
+			expect(firstPayload.pagination.hasMore).toBe(true);
+			expect(firstPayload.pagination.nextCursor).toBeTruthy();
+
+			logSpy.mockClear();
+			const secondExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"list",
+				"--json",
+				"--page-size",
+				"1",
+				"--cursor",
+				String(firstPayload.pagination.nextCursor),
+			]);
+			expect(secondExitCode).toBe(0);
+			const secondPayload = JSON.parse(String(logSpy.mock.calls[0]?.[0])) as {
+				schemaVersion: number;
+				accounts: Array<{ email: string }>;
+				pagination: {
+					cursor: string | null;
+					nextCursor: string | null;
+					hasMore: boolean;
+					pageSize: number;
+				};
+			};
+			expect(typeof secondPayload.schemaVersion).toBe("number");
+			expect(secondPayload.pagination.cursor).toBe(String(firstPayload.pagination.nextCursor));
+			expect(secondPayload.pagination.pageSize).toBe(1);
+			expect(secondPayload.accounts).toHaveLength(1);
+			expect(secondPayload.accounts[0]?.email).toBe("two@example.com");
+			expect(secondPayload.pagination.hasMore).toBe(false);
+			expect(secondPayload.pagination.nextCursor).toBeNull();
+		} finally {
+			logSpy.mockRestore();
+		}
+	});
+
+	it("rejects malformed pagination cursors in JSON list mode", async () => {
+		loadAccountsMock.mockResolvedValue({
+			version: 3,
+			activeIndex: 0,
+			activeIndexByFamily: {},
+			accounts: [
+				{
+					email: "one@example.com",
+					accountId: "acc_one",
+					refreshToken: "refresh-one",
+					addedAt: Date.now() - 2_000,
+					lastUsed: Date.now() - 2_000,
+					enabled: true,
+				},
+			],
+		});
+
+		const errorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+		try {
+			const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+			const malformedPayloadCursor = Buffer.from("12junk", "utf8").toString("base64");
+			const invalidPayloadExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"list",
+				"--json",
+				"--cursor",
+				malformedPayloadCursor,
+			]);
+			expect(invalidPayloadExitCode).toBe(1);
+			expect(errorSpy).toHaveBeenCalledWith("Invalid --cursor value");
+
+			errorSpy.mockClear();
+			const invalidBase64ExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"list",
+				"--json",
+				"--cursor",
+				"%%%invalid-base64%%%",
+			]);
+			expect(invalidBase64ExitCode).toBe(1);
+			expect(errorSpy).toHaveBeenCalledWith("Invalid --cursor value");
+		} finally {
+			errorSpy.mockRestore();
+		}
+	});
+
+	it("applies idempotency key for rotate-secrets automation retries", async () => {
+		checkAndRecordIdempotencyKeyMock
+			.mockResolvedValueOnce({ replayed: false })
+			.mockResolvedValueOnce({ replayed: true });
+		rotateStoredSecretEncryptionMock.mockResolvedValue({
+			accounts: 2,
+			flaggedAccounts: 1,
+		});
+
+		const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+		try {
+			const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+			const firstExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"rotate-secrets",
+				"--json",
+				"--idempotency-key",
+				"rotation-001",
+			]);
+			expect(firstExitCode).toBe(0);
+			const firstPayload = JSON.parse(String(logSpy.mock.calls[0]?.[0])) as {
+				rotated: boolean;
+				replayed: boolean;
+			};
+			expect(firstPayload.rotated).toBe(true);
+			expect(firstPayload.replayed).toBe(false);
+
+			logSpy.mockClear();
+			const secondExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"rotate-secrets",
+				"--json",
+				"--idempotency-key=rotation-001",
+			]);
+			expect(secondExitCode).toBe(0);
+			const secondPayload = JSON.parse(String(logSpy.mock.calls[0]?.[0])) as {
+				rotated: boolean;
+				replayed: boolean;
+			};
+			expect(secondPayload.rotated).toBe(true);
+			expect(secondPayload.replayed).toBe(true);
+			expect(rotateStoredSecretEncryptionMock).toHaveBeenCalledTimes(1);
+			expect(markIdempotencySucceededMock).toHaveBeenCalledTimes(1);
+			expect(clearIdempotencyOnFailureMock).not.toHaveBeenCalled();
+		} finally {
+			logSpy.mockRestore();
+		}
+	});
+
+	it("clears pending idempotency key when rotate-secrets fails", async () => {
+		checkAndRecordIdempotencyKeyMock.mockResolvedValue({ replayed: false });
+		rotateStoredSecretEncryptionMock.mockRejectedValueOnce(new Error("user@example.com"));
+		const previousRedaction = process.env.CODEX_AUTH_REDACT_JSON_OUTPUT;
+		process.env.CODEX_AUTH_REDACT_JSON_OUTPUT = "1";
+
+		const logSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+		try {
+			const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+			const exitCode = await runCodexMultiAuthCli([
+				"auth",
+				"rotate-secrets",
+				"--json",
+				"--idempotency-key",
+				"rotation-fail",
+			]);
+			expect(exitCode).toBe(1);
+			const payload = JSON.parse(String(logSpy.mock.calls[0]?.[0])) as { error: string };
+			expect(payload.error).not.toContain("user@example.com");
+			expect(markIdempotencySucceededMock).not.toHaveBeenCalled();
+			expect(clearIdempotencyOnFailureMock).toHaveBeenCalledWith(
+				"codex.auth.rotate-secrets",
+				"rotation-fail",
+			);
+		} finally {
+			logSpy.mockRestore();
+			if (previousRedaction === undefined) {
+				delete process.env.CODEX_AUTH_REDACT_JSON_OUTPUT;
+			} else {
+				process.env.CODEX_AUTH_REDACT_JSON_OUTPUT = previousRedaction;
+			}
+		}
+	});
+
+	it("enforces ABAC idempotency-key requirement for rotate-secrets", async () => {
+		const previousRole = process.env.CODEX_AUTH_ROLE;
+		const previousAbacRequirement = process.env.CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY;
+		process.env.CODEX_AUTH_ROLE = "admin";
+		process.env.CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY = "secrets:rotate";
+		rotateStoredSecretEncryptionMock.mockResolvedValue({
+			accounts: 1,
+			flaggedAccounts: 0,
+		});
+
+		const errorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+		try {
+			const { runCodexMultiAuthCli } = await import("../lib/codex-manager.js");
+			const deniedExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"rotate-secrets",
+				"--json",
+			]);
+			expect(deniedExitCode).toBe(1);
+			expect(rotateStoredSecretEncryptionMock).not.toHaveBeenCalled();
+			expect(errorSpy).toHaveBeenCalledWith(
+				expect.stringContaining("idempotency key"),
+			);
+
+			errorSpy.mockClear();
+			const allowedExitCode = await runCodexMultiAuthCli([
+				"auth",
+				"rotate-secrets",
+				"--json",
+				"--idempotency-key",
+				"rotation-allowed",
+			]);
+			expect(allowedExitCode).toBe(0);
+			expect(rotateStoredSecretEncryptionMock).toHaveBeenCalledTimes(1);
+			expect(errorSpy).not.toHaveBeenCalled();
+		} finally {
+			errorSpy.mockRestore();
+			if (previousRole === undefined) {
+				delete process.env.CODEX_AUTH_ROLE;
+			} else {
+				process.env.CODEX_AUTH_ROLE = previousRole;
+			}
+			if (previousAbacRequirement === undefined) {
+				delete process.env.CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY;
+			} else {
+				process.env.CODEX_AUTH_ABAC_REQUIRE_IDEMPOTENCY_KEY = previousAbacRequirement;
+			}
+		}
+	});
 });
diff --git a/test/data-redaction.test.ts b/test/data-redaction.test.ts
new file mode 100644
index 0000000..521769f
--- /dev/null
+++ b/test/data-redaction.test.ts
@@ -0,0 +1,74 @@
+import { describe, expect, it } from "vitest";
+import { redactForExternalOutput } from "../lib/data-redaction.js";
+
+describe("data redaction", () => {
+	it("redacts sensitive keys recursively", () => {
+		const value = {
+			email: "person@example.com",
+			profile: {
+				accessToken: "abc",
+				refresh_token: "def",
+				nested: [{ accountId: "acct_123" }],
+			},
+		};
+
+		const redacted = redactForExternalOutput(value);
+		expect(redacted).toEqual({
+			email: "***REDACTED***",
+			profile: {
+				accessToken: "***REDACTED***",
+				refresh_token: "***REDACTED***",
+				nested: [{ accountId: "***REDACTED***" }],
+			},
+		});
+	});
+
+	it("keeps non-sensitive fields unchanged", () => {
+		const value = {
+			command: "report",
+			schemaVersion: 1,
+			summary: { ok: 1, warn: 0, error: 0 },
+		};
+		expect(redactForExternalOutput(value)).toEqual(value);
+	});
+
+	it("handles null/undefined and mixed arrays safely", () => {
+		const value = {
+			email: "person@example.com",
+			mixed: [1, "two", null, { accountId: "acct-123" }],
+			nested: {
+				accessToken: "secret",
+				nullable: null as null | string,
+				optional: undefined as undefined | string,
+			},
+		};
+		expect(redactForExternalOutput(value)).toEqual({
+			email: "***REDACTED***",
+			mixed: [1, "two", null, { accountId: "***REDACTED***" }],
+			nested: {
+				accessToken: "***REDACTED***",
+				nullable: null,
+				optional: undefined,
+			},
+		});
+	});
+
+	it("handles circular references without throwing", () => {
+		const cyclic: { email: string; self?: unknown; nested: { accessToken: string; parent?: unknown } } = {
+			email: "loop@example.com",
+			nested: { accessToken: "tok" },
+		};
+		cyclic.self = cyclic;
+		cyclic.nested.parent = cyclic;
+
+		const redacted = redactForExternalOutput(cyclic) as {
+			email: string;
+			self: string;
+			nested: { accessToken: string; parent: string };
+		};
+		expect(redacted.email).toBe("***REDACTED***");
+		expect(redacted.nested.accessToken).toBe("***REDACTED***");
+		expect(redacted.self).toBe("[Circular]");
+		expect(redacted.nested.parent).toBe("[Circular]");
+	});
+});
diff --git a/test/data-retention.test.ts b/test/data-retention.test.ts
new file mode 100644
index 0000000..2ef7f49
--- /dev/null
+++ b/test/data-retention.test.ts
@@ -0,0 +1,230 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { promises as fs } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import type { RetentionPolicy } from "../lib/data-retention.js";
+
+const RETRYABLE_REMOVE_CODES = new Set(["EBUSY", "EPERM", "ENOTEMPTY"]);
+
+async function removeWithRetry(
+	targetPath: string,
+	options: { recursive?: boolean; force?: boolean },
+): Promise<void> {
+	for (let attempt = 0; attempt < 6; attempt += 1) {
+		try {
+			await fs.rm(targetPath, options);
+			return;
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (code === "ENOENT") return;
+			if (!code || !RETRYABLE_REMOVE_CODES.has(code) || attempt === 5) {
+				throw error;
+			}
+			await new Promise((resolve) => setTimeout(resolve, 25 * 2 ** attempt));
+		}
+	}
+}
+
+describe("data retention", () => {
+	let tempDir: string;
+	let originalDir: string | undefined;
+
+	beforeEach(async () => {
+		originalDir = process.env.CODEX_MULTI_AUTH_DIR;
+		tempDir = await fs.mkdtemp(join(tmpdir(), "codex-retention-"));
+		process.env.CODEX_MULTI_AUTH_DIR = tempDir;
+		vi.resetModules();
+	});
+
+	afterEach(async () => {
+		if (originalDir === undefined) {
+			delete process.env.CODEX_MULTI_AUTH_DIR;
+		} else {
+			process.env.CODEX_MULTI_AUTH_DIR = originalDir;
+		}
+		await removeWithRetry(tempDir, { recursive: true, force: true });
+	});
+
+	it("prunes stale log/cache/state files", async () => {
+		const { enforceDataRetention } = await import("../lib/data-retention.js");
+		const oldDate = new Date(Date.now() - 3 * 24 * 60 * 60_000);
+
+		const logsDir = join(tempDir, "logs");
+		const cacheDir = join(tempDir, "cache");
+		const nestedLogDir = join(logsDir, "nested");
+		await fs.mkdir(nestedLogDir, { recursive: true });
+		await fs.mkdir(cacheDir, { recursive: true });
+
+		const oldLog = join(nestedLogDir, "old.log");
+		const freshLog = join(logsDir, "fresh.log");
+		const oldCache = join(cacheDir, "old.cache");
+		const freshCache = join(cacheDir, "fresh.cache");
+		const flagged = join(tempDir, "openai-codex-flagged-accounts.json");
+		const quota = join(tempDir, "quota-cache.json");
+		const dlq = join(tempDir, "background-job-dlq.jsonl");
+
+		await fs.writeFile(oldLog, "old", "utf8");
+		await fs.writeFile(freshLog, "fresh", "utf8");
+		await fs.writeFile(oldCache, "old", "utf8");
+		await fs.writeFile(freshCache, "fresh", "utf8");
+		await fs.writeFile(flagged, "{}", "utf8");
+		await fs.writeFile(quota, "{}", "utf8");
+		await fs.writeFile(dlq, "{}", "utf8");
+
+		await fs.utimes(oldLog, oldDate, oldDate);
+		await fs.utimes(oldCache, oldDate, oldDate);
+		await fs.utimes(flagged, oldDate, oldDate);
+		await fs.utimes(quota, oldDate, oldDate);
+		await fs.utimes(dlq, oldDate, oldDate);
+
+		const policy: RetentionPolicy = {
+			logDays: 1,
+			cacheDays: 1,
+			flaggedDays: 1,
+			quotaCacheDays: 1,
+			dlqDays: 1,
+		};
+		const result = await enforceDataRetention(policy);
+
+		expect(result.removedLogs).toBeGreaterThanOrEqual(1);
+		expect(result.removedCacheFiles).toBeGreaterThanOrEqual(1);
+		expect(result.removedStateFiles).toBe(3);
+		await expect(fs.stat(oldLog)).rejects.toMatchObject({ code: "ENOENT" });
+		await expect(fs.stat(oldCache)).rejects.toMatchObject({ code: "ENOENT" });
+		await expect(fs.stat(flagged)).rejects.toMatchObject({ code: "ENOENT" });
+		await expect(fs.stat(quota)).rejects.toMatchObject({ code: "ENOENT" });
+		await expect(fs.stat(dlq)).rejects.toMatchObject({ code: "ENOENT" });
+		expect(await fs.readFile(freshLog, "utf8")).toBe("fresh");
+		expect(await fs.readFile(freshCache, "utf8")).toBe("fresh");
+	});
+
+	it("retries transient EBUSY when pruning single state files", async () => {
+		const { enforceDataRetention } = await import("../lib/data-retention.js");
+		const oldDate = new Date(Date.now() - 3 * 24 * 60 * 60_000);
+		const flagged = join(tempDir, "openai-codex-flagged-accounts.json");
+		await fs.writeFile(flagged, "{}", "utf8");
+		await fs.utimes(flagged, oldDate, oldDate);
+
+		const realUnlink = fs.unlink.bind(fs);
+		const unlinkSpy = vi.spyOn(fs, "unlink");
+		let attempts = 0;
+		unlinkSpy.mockImplementation(async (path) => {
+			if (String(path) === flagged) {
+				attempts += 1;
+				if (attempts < 3) {
+					const error = new Error("busy") as NodeJS.ErrnoException;
+					error.code = "EBUSY";
+					throw error;
+				}
+			}
+			return realUnlink(path);
+		});
+
+		try {
+			const result = await enforceDataRetention({
+				logDays: 1,
+				cacheDays: 1,
+				flaggedDays: 1,
+				quotaCacheDays: 1,
+				dlqDays: 1,
+			});
+			expect(result.removedStateFiles).toBe(1);
+			expect(attempts).toBe(3);
+			await expect(fs.stat(flagged)).rejects.toMatchObject({ code: "ENOENT" });
+		} finally {
+			unlinkSpy.mockRestore();
+		}
+	});
+
+	it("surfaces non-ENOENT prune errors", async () => {
+		const { enforceDataRetention } = await import("../lib/data-retention.js");
+		const logsDir = join(tempDir, "logs");
+		await fs.mkdir(logsDir, { recursive: true });
+		const staleLog = join(logsDir, "stale.log");
+		const oldDate = new Date(Date.now() - 3 * 24 * 60 * 60_000);
+		await fs.writeFile(staleLog, "old", "utf8");
+		await fs.utimes(staleLog, oldDate, oldDate);
+
+		const statSpy = vi.spyOn(fs, "stat");
+		const realStat = fs.stat.bind(fs);
+		statSpy.mockImplementation(async (path) => {
+			if (String(path) === staleLog) {
+				const error = new Error("denied") as NodeJS.ErrnoException;
+				error.code = "EACCES";
+				throw error;
+			}
+			return realStat(path);
+		});
+
+		try {
+			await expect(
+				enforceDataRetention({
+					logDays: 1,
+					cacheDays: 1,
+					flaggedDays: 1,
+					quotaCacheDays: 1,
+					dlqDays: 1,
+				}),
+			).rejects.toMatchObject({ code: "EACCES" });
+		} finally {
+			statSpy.mockRestore();
+		}
+	});
+
+	it("retries transient EBUSY during directory entry retention pruning", async () => {
+		const { enforceDataRetention } = await import("../lib/data-retention.js");
+		const oldDate = new Date(Date.now() - 3 * 24 * 60 * 60_000);
+		const logsDir = join(tempDir, "logs");
+		const nestedDir = join(logsDir, "nested");
+		const staleLog = join(nestedDir, "stale.log");
+
+		await fs.mkdir(nestedDir, { recursive: true });
+		await fs.writeFile(staleLog, "old", "utf8");
+		await fs.utimes(staleLog, oldDate, oldDate);
+
+		const originalStat = fs.stat.bind(fs);
+		const statSpy = vi.spyOn(fs, "stat");
+		let statBusyInjected = false;
+		statSpy.mockImplementation(async (path, options) => {
+			if (!statBusyInjected && path === staleLog) {
+				statBusyInjected = true;
+				const error = new Error("busy") as NodeJS.ErrnoException;
+				error.code = "EBUSY";
+				throw error;
+			}
+			return originalStat(path, options as { bigint?: boolean });
+		});
+
+		const originalRmdir = fs.rmdir.bind(fs);
+		const rmdirSpy = vi.spyOn(fs, "rmdir");
+		let rmdirBusyInjected = false;
+		rmdirSpy.mockImplementation(async (path) => {
+			if (!rmdirBusyInjected && path === nestedDir) {
+				rmdirBusyInjected = true;
+				const error = new Error("busy") as NodeJS.ErrnoException;
+				error.code = "EBUSY";
+				throw error;
+			}
+			return originalRmdir(path);
+		});
+
+		try {
+			const policy: RetentionPolicy = {
+				logDays: 1,
+				cacheDays: 90,
+				flaggedDays: 90,
+				quotaCacheDays: 90,
+				dlqDays: 90,
+			};
+			const result = await enforceDataRetention(policy);
+			expect(result.removedLogs).toBe(1);
+			expect(statBusyInjected).toBe(true);
+			expect(rmdirBusyInjected).toBe(true);
+			await expect(fs.stat(staleLog)).rejects.toMatchObject({ code: "ENOENT" });
+			await expect(fs.stat(nestedDir)).rejects.toMatchObject({ code: "ENOENT" });
+		} finally {
+			statSpy.mockRestore();
+			rmdirSpy.mockRestore();
+		}
+	});
+});
diff --git a/test/file-lock-fd-leak.test.ts b/test/file-lock-fd-leak.test.ts
new file mode 100644
index 0000000..a195331
--- /dev/null
+++ b/test/file-lock-fd-leak.test.ts
@@ -0,0 +1,75 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+describe("file-lock descriptor safety", () => {
+	beforeEach(() => {
+		vi.resetModules();
+	});
+
+	afterEach(() => {
+		vi.doUnmock("node:fs");
+		vi.restoreAllMocks();
+	});
+
+	it("closes async file handles when metadata write fails", async () => {
+		const close = vi.fn(async () => {});
+		const writeFile = vi.fn(async () => {
+			throw new Error("disk full");
+		});
+		vi.doMock("node:fs", () => ({
+			promises: {
+				open: vi.fn(async () => ({ writeFile, close })),
+				stat: vi.fn(),
+				unlink: vi.fn(),
+				readFile: vi.fn(),
+			},
+			openSync: vi.fn(),
+			writeFileSync: vi.fn(),
+			closeSync: vi.fn(),
+			readFileSync: vi.fn(),
+			unlinkSync: vi.fn(),
+			statSync: vi.fn(),
+		}));
+
+		const { acquireFileLock } = await import("../lib/file-lock.js");
+		await expect(
+			acquireFileLock("/tmp/mock.lock", {
+				maxAttempts: 1,
+				baseDelayMs: 1,
+				maxDelayMs: 2,
+				staleAfterMs: 1_000,
+			}),
+		).rejects.toThrow("disk full");
+		expect(close).toHaveBeenCalledTimes(1);
+	});
+
+	it("closes sync file descriptors when metadata write fails", async () => {
+		const closeSync = vi.fn();
+		vi.doMock("node:fs", () => ({
+			promises: {
+				open: vi.fn(),
+				stat: vi.fn(),
+				unlink: vi.fn(),
+				readFile: vi.fn(),
+			},
+			openSync: vi.fn(() => 42),
+			writeFileSync: vi.fn(() => {
+				throw new Error("write failed");
+			}),
+			closeSync,
+			readFileSync: vi.fn(),
+			unlinkSync: vi.fn(),
+			statSync: vi.fn(),
+		}));
+
+		const { acquireFileLockSync } = await import("../lib/file-lock.js");
+		expect(() =>
+			acquireFileLockSync("/tmp/mock.lock", {
+				maxAttempts: 1,
+				baseDelayMs: 1,
+				maxDelayMs: 2,
+				staleAfterMs: 1_000,
+			}),
+		).toThrow("write failed");
+		expect(closeSync).toHaveBeenCalledTimes(1);
+	});
+});
diff --git a/test/file-lock.test.ts b/test/file-lock.test.ts
new file mode 100644
index 0000000..b44043c
--- /dev/null
+++ b/test/file-lock.test.ts
@@ -0,0 +1,206 @@
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { promises as fs } from "node:fs";
+import { spawn } from "node:child_process";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { pathToFileURL } from "node:url";
+import { acquireFileLock } from "../lib/file-lock.js";
+
+const RETRYABLE_REMOVE_CODES = new Set(["EBUSY", "EPERM", "ENOTEMPTY"]);
+
+async function removeWithRetry(
+	targetPath: string,
+	options: { recursive?: boolean; force?: boolean },
+): Promise<void> {
+	for (let attempt = 0; attempt < 6; attempt += 1) {
+		try {
+			await fs.rm(targetPath, options);
+			return;
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (code === "ENOENT") return;
+			if (!code || !RETRYABLE_REMOVE_CODES.has(code) || attempt === 5) {
+				throw error;
+			}
+			await new Promise((resolve) => setTimeout(resolve, 25 * 2 ** attempt));
+		}
+	}
+}
+
+describe("file lock", () => {
+	let tempDir: string;
+
+	beforeEach(async () => {
+		tempDir = await fs.mkdtemp(join(tmpdir(), "codex-file-lock-"));
+	});
+
+	afterEach(async () => {
+		await removeWithRetry(tempDir, { recursive: true, force: true });
+	});
+
+	it("blocks concurrent lock acquisition until released", async () => {
+		const lockPath = join(tempDir, "settings.lock");
+		const first = await acquireFileLock(lockPath, {
+			maxAttempts: 5,
+			baseDelayMs: 1,
+			maxDelayMs: 2,
+			staleAfterMs: 10_000,
+		});
+
+		await expect(
+			acquireFileLock(lockPath, {
+				maxAttempts: 2,
+				baseDelayMs: 1,
+				maxDelayMs: 2,
+				staleAfterMs: 10_000,
+			}),
+		).rejects.toMatchObject({ code: "EEXIST" });
+
+		await first.release();
+		const second = await acquireFileLock(lockPath, {
+			maxAttempts: 2,
+			baseDelayMs: 1,
+			maxDelayMs: 2,
+			staleAfterMs: 10_000,
+		});
+		await second.release();
+	});
+
+	it("evicts stale lock files", async () => {
+		const lockPath = join(tempDir, "quota.lock");
+		await fs.writeFile(lockPath, "stale", "utf8");
+		const staleDate = new Date(Date.now() - 60_000);
+		await fs.utimes(lockPath, staleDate, staleDate);
+
+		const lock = await acquireFileLock(lockPath, {
+			maxAttempts: 3,
+			baseDelayMs: 1,
+			maxDelayMs: 2,
+			staleAfterMs: 1_000,
+		});
+		await lock.release();
+	});
+
+	it("does not unlink a newer lock when a stale owner releases late", async () => {
+		const lockPath = join(tempDir, "late-release.lock");
+		const first = await acquireFileLock(lockPath, {
+			maxAttempts: 3,
+			baseDelayMs: 1,
+			maxDelayMs: 2,
+			staleAfterMs: 1_000,
+		});
+		const staleDate = new Date(Date.now() - 120_000);
+		await fs.utimes(lockPath, staleDate, staleDate);
+
+		const second = await acquireFileLock(lockPath, {
+			maxAttempts: 10,
+			baseDelayMs: 1,
+			maxDelayMs: 4,
+			staleAfterMs: 1_000,
+		});
+
+		await first.release();
+
+		await expect(
+			acquireFileLock(lockPath, {
+				maxAttempts: 2,
+				baseDelayMs: 1,
+				maxDelayMs: 2,
+				staleAfterMs: 10_000,
+			}),
+		).rejects.toMatchObject({ code: "EEXIST" });
+
+		await second.release();
+		const third = await acquireFileLock(lockPath, {
+			maxAttempts: 3,
+			baseDelayMs: 1,
+			maxDelayMs: 2,
+			staleAfterMs: 10_000,
+		});
+		await third.release();
+	});
+
+	it("serializes concurrent writes from multiple processes under contention", async () => {
+		const lockPath = join(tempDir, "contention.lock");
+		const sharedFilePath = join(tempDir, "shared.txt");
+		const workerScriptPath = join(tempDir, "lock-writer-worker.mjs");
+		const transpiledModulePath = join(tempDir, "file-lock-worker-module.mjs");
+		const ts = await import("typescript");
+		const sourcePath = join(process.cwd(), "lib", "file-lock.ts");
+		const source = await fs.readFile(sourcePath, "utf8");
+		const transpiled = ts.transpileModule(source, {
+			compilerOptions: {
+				module: ts.ModuleKind.ESNext,
+				target: ts.ScriptTarget.ES2022,
+			},
+		}).outputText;
+		await fs.writeFile(transpiledModulePath, transpiled, "utf8");
+		const moduleUrl = pathToFileURL(transpiledModulePath).href;
+		const workerCount = 6;
+		const iterationsPerWorker = 10;
+		await fs.writeFile(sharedFilePath, "", "utf8");
+		await fs.writeFile(
+			workerScriptPath,
+			`import { promises as fs } from "node:fs";
+const [moduleUrl, lockPath, sharedFilePath, workerId, iterationsRaw] = process.argv.slice(2);
+const iterations = Number(iterationsRaw);
+const { acquireFileLock } = await import(moduleUrl);
+for (let i = 0; i < iterations; i += 1) {
+  const lock = await acquireFileLock(lockPath, {
+    maxAttempts: 500,
+    baseDelayMs: 1,
+    maxDelayMs: 8,
+    staleAfterMs: 10_000,
+  });
+  try {
+    const existing = await fs.readFile(sharedFilePath, "utf8");
+    await new Promise((resolve) => setTimeout(resolve, 2));
+    await fs.writeFile(sharedFilePath, existing + workerId + ":" + i + "\\n", "utf8");
+  } finally {
+    await lock.release();
+  }
+}
+`,
+			"utf8",
+		);
+
+		const runWorker = (workerId: number): Promise<void> =>
+			new Promise((resolve, reject) => {
+				const child = spawn(
+					process.execPath,
+					[
+						workerScriptPath,
+						moduleUrl,
+						lockPath,
+						sharedFilePath,
+						String(workerId),
+						String(iterationsPerWorker),
+					],
+					{ stdio: ["ignore", "pipe", "pipe"] },
+				);
+				let stderr = "";
+				child.stderr.on("data", (chunk: Buffer) => {
+					stderr += chunk.toString("utf8");
+				});
+				child.on("error", reject);
+				child.on("exit", (code) => {
+					if (code === 0) {
+						resolve();
+						return;
+					}
+					reject(new Error(`worker ${workerId} exited with code ${code}: ${stderr}`));
+				});
+			});
+
+		await Promise.all(
+			Array.from({ length: workerCount }, (_, workerId) => runWorker(workerId)),
+		);
+
+		const lines = (await fs.readFile(sharedFilePath, "utf8"))
+			.trim()
+			.split("\n")
+			.filter((line) => line.length > 0);
+		expect(lines).toHaveLength(workerCount * iterationsPerWorker);
+		expect(new Set(lines).size).toBe(lines.length);
+	});
+});
diff --git a/test/idempotency.test.ts b/test/idempotency.test.ts
new file mode 100644
index 0000000..7624303
--- /dev/null
+++ b/test/idempotency.test.ts
@@ -0,0 +1,87 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { promises as fs } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+
+describe("idempotency store", () => {
+	let tempDir: string;
+	let originalDir: string | undefined;
+
+	beforeEach(async () => {
+		originalDir = process.env.CODEX_MULTI_AUTH_DIR;
+		tempDir = await fs.mkdtemp(join(tmpdir(), "codex-idempotency-"));
+		process.env.CODEX_MULTI_AUTH_DIR = tempDir;
+		vi.resetModules();
+	});
+
+	afterEach(async () => {
+		if (originalDir === undefined) {
+			delete process.env.CODEX_MULTI_AUTH_DIR;
+		} else {
+			process.env.CODEX_MULTI_AUTH_DIR = originalDir;
+		}
+		await fs.rm(tempDir, { recursive: true, force: true });
+	});
+
+	it("records first key use and replays duplicates", async () => {
+		const {
+			checkAndRecordIdempotencyKey,
+			markIdempotencySucceeded,
+			getIdempotencyStorePath,
+		} =
+			await import("../lib/idempotency.js");
+
+		expect(
+			await checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-1"),
+		).toEqual({ replayed: false });
+		await markIdempotencySucceeded("codex.auth.rotate-secrets", "key-1");
+		expect(
+			await checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-1"),
+		).toEqual({ replayed: true });
+
+		const content = await fs.readFile(getIdempotencyStorePath(), "utf8");
+		expect(content).toContain("codex.auth.rotate-secrets");
+	});
+
+	it("expires entries based on ttl", async () => {
+		const { checkAndRecordIdempotencyKey } = await import("../lib/idempotency.js");
+		expect(
+			await checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-2", 5),
+		).toEqual({ replayed: false });
+		await new Promise((resolve) => setTimeout(resolve, 10));
+		expect(
+			await checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-2", 5),
+		).toEqual({ replayed: false });
+	});
+
+	it("allows retry after a pending operation is cleared on failure", async () => {
+		const { checkAndRecordIdempotencyKey, clearIdempotencyOnFailure } =
+			await import("../lib/idempotency.js");
+
+		expect(
+			await checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-fail"),
+		).toEqual({ replayed: false });
+		expect(
+			await checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-fail"),
+		).toEqual({ replayed: true });
+
+		await clearIdempotencyOnFailure("codex.auth.rotate-secrets", "key-fail");
+
+		expect(
+			await checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-fail"),
+		).toEqual({ replayed: false });
+	});
+
+	it("ensures exactly one winner under concurrent duplicate-key races", async () => {
+		const { checkAndRecordIdempotencyKey } = await import("../lib/idempotency.js");
+		const results = await Promise.all(
+			Array.from({ length: 12 }, () =>
+				checkAndRecordIdempotencyKey("codex.auth.rotate-secrets", "key-concurrent"),
+			),
+		);
+		const replayedFalse = results.filter((entry) => entry.replayed === false).length;
+		const replayedTrue = results.filter((entry) => entry.replayed === true).length;
+		expect(replayedFalse).toBe(1);
+		expect(replayedTrue).toBe(11);
+	});
+});
diff --git a/test/index-retry.test.ts b/test/index-retry.test.ts
index 3813edc..62f1df3 100644
--- a/test/index-retry.test.ts
+++ b/test/index-retry.test.ts
@@ -129,6 +129,21 @@ vi.mock("../lib/storage.js", () => ({
 	getStoragePath: () => "",
 	loadAccounts: async () => null,
 	saveAccounts: async () => {},
+	withAccountStorageTransaction: async (
+		handler: (
+			storage: { version: 3; accounts: []; activeIndex: number; activeIndexByFamily: Record<string, number> },
+			persist: (next: { version: 3; accounts: []; activeIndex: number; activeIndexByFamily: Record<string, number> }) => Promise<void>,
+		) => Promise<unknown>,
+	) =>
+		handler(
+			{
+				version: 3,
+				accounts: [],
+				activeIndex: 0,
+				activeIndexByFamily: {},
+			},
+			async () => {},
+		),
 	setStoragePath: () => {},
 	setStorageBackupEnabled: () => {},
 	exportAccounts: async () => {},
diff --git a/test/index.test.ts b/test/index.test.ts
index d6d9549..cc87926 100644
--- a/test/index.test.ts
+++ b/test/index.test.ts
@@ -2,6 +2,15 @@ import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
 
 process.env.CODEX_MULTI_AUTH_EXPOSE_ADMIN_TOOLS = "1";
 
+const checkAuthRateLimitMock = vi.fn();
+const recordAuthAttemptMock = vi.fn();
+const resetAuthRateLimitMock = vi.fn();
+const enforceDataRetentionMock = vi.fn(async () => ({
+	removedLogs: 0,
+	removedCacheFiles: 0,
+	removedStateFiles: 0,
+}));
+
 vi.mock("@codex-ai/plugin/tool", () => {
 	const makeSchema = () => ({
 		optional: () => makeSchema(),
@@ -64,6 +73,12 @@ vi.mock("../lib/auth/server.js", () => ({
 	})),
 }));
 
+vi.mock("../lib/auth-rate-limit.js", () => ({
+	checkAuthRateLimit: checkAuthRateLimitMock,
+	recordAuthAttempt: recordAuthAttemptMock,
+	resetAuthRateLimit: resetAuthRateLimitMock,
+}));
+
 vi.mock("../lib/cli.js", () => ({
 	promptLoginMode: vi.fn(async () => ({ mode: "add" })),
 	promptAddAnotherAccount: vi.fn(async () => false),
@@ -138,6 +153,10 @@ vi.mock("../lib/request/request-transformer.js", () => ({
 	applyFastSessionDefaults: <T>(config: T) => config,
 }));
 
+vi.mock("../lib/data-retention.js", () => ({
+	enforceDataRetention: enforceDataRetentionMock,
+}));
+
 vi.mock("../lib/logger.js", () => ({
 	initLogger: vi.fn(),
 	logRequest: vi.fn(),
@@ -231,6 +250,10 @@ const mockStorage = {
 	activeIndex: 0,
 	activeIndexByFamily: {} as Record<string, number>,
 };
+const withAccountStorageTransactionMock = vi.fn(
+	async <T>(handler: (storage: typeof mockStorage, persist: (next: typeof mockStorage) => Promise<void>) => Promise<T>) =>
+		handler(mockStorage, async () => {}),
+);
 
 const syncCodexCliSelectionMock = vi.fn(async (_index: number) => {});
 
@@ -238,6 +261,7 @@ vi.mock("../lib/storage.js", () => ({
 	getStoragePath: () => "/mock/path/accounts.json",
 	loadAccounts: vi.fn(async () => mockStorage),
 	saveAccounts: vi.fn(async () => {}),
+	withAccountStorageTransaction: withAccountStorageTransactionMock,
 	clearAccounts: vi.fn(async () => {}),
 	setStoragePath: vi.fn(),
 	setStorageBackupEnabled: vi.fn(),
@@ -420,6 +444,10 @@ describe("OpenAIOAuthPlugin", () => {
 		mockStorage.accounts = [];
 		mockStorage.activeIndex = 0;
 		mockStorage.activeIndexByFamily = {};
+		withAccountStorageTransactionMock.mockClear();
+		withAccountStorageTransactionMock.mockImplementation(async (handler) =>
+			handler(mockStorage, async () => {}),
+		);
 
 		const { OpenAIOAuthPlugin } = await import("../index.js");
 		plugin = await OpenAIOAuthPlugin({ client: mockClient } as never) as unknown as PluginType;
@@ -505,6 +533,45 @@ describe("OpenAIOAuthPlugin", () => {
 			expect(vi.mocked(authModule.exchangeAuthorizationCode)).not.toHaveBeenCalled();
 		});
 
+		it("returns failed TokenResult when auth rate-limit check throws", async () => {
+			const manualMethod = plugin.auth.methods[1] as unknown as {
+				authorize: () => Promise<{
+					callback: (input: string) => Promise<{ type: string; reason?: string; message?: string }>;
+				}>;
+			};
+			checkAuthRateLimitMock.mockImplementationOnce(() => {
+				throw new Error("rate limit exceeded");
+			});
+
+			const flow = await manualMethod.authorize();
+			const result = await flow.callback(
+				"http://127.0.0.1:1455/auth/callback?code=abc123&state=test-state",
+			);
+			expect(result.type).toBe("failed");
+			expect(result.reason).toBe("http_error");
+			expect(result.message).toContain("rate limit exceeded");
+		});
+
+		it("returns failed TokenResult when token exchange throws", async () => {
+			const authModule = await import("../lib/auth/auth.js");
+			const manualMethod = plugin.auth.methods[1] as unknown as {
+				authorize: () => Promise<{
+					callback: (input: string) => Promise<{ type: string; reason?: string; message?: string }>;
+				}>;
+			};
+			vi.mocked(authModule.exchangeAuthorizationCode).mockRejectedValueOnce(
+				new Error("network down"),
+			);
+
+			const flow = await manualMethod.authorize();
+			const result = await flow.callback(
+				"http://127.0.0.1:1455/auth/callback?code=abc123&state=test-state",
+			);
+			expect(result.type).toBe("failed");
+			expect(result.reason).toBe("http_error");
+			expect(result.message).toContain("network down");
+		});
+
 		it("uses REDIRECT_URI in manual callback validation copy", async () => {
 			const authModule = await import("../lib/auth/auth.js");
 			const manualMethod = plugin.auth.methods[1] as unknown as {
@@ -518,6 +585,11 @@ describe("OpenAIOAuthPlugin", () => {
 			expect(message).toContain(authModule.REDIRECT_URI);
 		});
 
+		it("serializes startup retention cleanup through storage transaction", () => {
+			expect(withAccountStorageTransactionMock).toHaveBeenCalledTimes(1);
+			expect(enforceDataRetentionMock).toHaveBeenCalledTimes(1);
+		});
+
 		it("redacts oauth state from logged oauth URL", async () => {
 			const authModule = await import("../lib/auth/auth.js");
 			const loggerModule = await import("../lib/logger.js");
diff --git a/test/public-api-contract.test.ts b/test/public-api-contract.test.ts
index 307093f..4e4c20d 100644
--- a/test/public-api-contract.test.ts
+++ b/test/public-api-contract.test.ts
@@ -44,6 +44,25 @@ describe("public api contract", () => {
 		}
 	});
 
+	it("keeps tier-b barrel exports for storage/auth reliability helpers", async () => {
+		const barrel = await import("../lib/index.js");
+		const required = [
+			"acquireFileLock",
+			"acquireFileLockSync",
+			"encryptSecret",
+			"decryptSecret",
+			"enforceDataRetention",
+			"redactForExternalOutput",
+			"authorizeAction",
+			"runBackgroundJobWithRetry",
+			"checkAndRecordIdempotencyKey",
+			"markIdempotencySucceeded",
+			"clearIdempotencyOnFailure",
+		].sort();
+		const exported = required.filter((name) => name in barrel).sort();
+		expect(exported).toEqual(required);
+	});
+
 	it("keeps positional and options-object overload behavior aligned", async () => {
 		const healthTracker = new HealthScoreTracker();
 		const tokenTracker = new TokenBucketTracker();
diff --git a/test/quota-cache.test.ts b/test/quota-cache.test.ts
index 54b5ffb..bf14704 100644
--- a/test/quota-cache.test.ts
+++ b/test/quota-cache.test.ts
@@ -1,7 +1,9 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { promises as fs } from "node:fs";
+import { spawn } from "node:child_process";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
+import { pathToFileURL } from "node:url";
 
 describe("quota cache", () => {
   let tempDir: string;
@@ -190,7 +192,10 @@ describe("quota cache", () => {
         byEmail: {},
       });
 
-      expect(unlinkSpy).toHaveBeenCalledTimes(1);
+      const tmpUnlinks = unlinkSpy.mock.calls.filter((call) =>
+        String(call[0]).endsWith(".tmp"),
+      );
+      expect(tmpUnlinks).toHaveLength(1);
       const entries = await fs.readdir(tempDir);
       expect(entries.some((entry) => entry.endsWith(".tmp"))).toBe(false);
     } finally {
@@ -347,4 +352,77 @@ describe("quota cache", () => {
       vi.doUnmock("../lib/logger.js");
     }
   });
+
+  it("serializes concurrent saveQuotaCache writers across processes", async () => {
+    const { loadQuotaCache } = await import("../lib/quota-cache.js");
+    const workerScriptPath = join(tempDir, "quota-cache-worker.mjs");
+    const moduleUrl = pathToFileURL(
+      join(process.cwd(), "dist", "lib", "quota-cache.js"),
+    ).href;
+    const workerCount = 4;
+    const iterations = 8;
+
+    await fs.writeFile(
+      workerScriptPath,
+      `const [moduleUrl, rootDir, workerIdRaw, workerCountRaw, iterationsRaw] = process.argv.slice(2);
+process.env.CODEX_MULTI_AUTH_DIR = rootDir;
+const workerId = Number(workerIdRaw);
+const workerCount = Number(workerCountRaw);
+const iterations = Number(iterationsRaw);
+const { saveQuotaCache } = await import(moduleUrl);
+for (let i = 0; i < iterations; i += 1) {
+  const byAccountId = {};
+  for (let w = 0; w < workerCount; w += 1) {
+    byAccountId[\`acc_\${w}\`] = {
+      updatedAt: Date.now(),
+      status: 200,
+      model: \`writer-\${workerId}-iter-\${i}\`,
+      primary: { usedPercent: w + i, windowMinutes: 300 },
+      secondary: { usedPercent: workerId, windowMinutes: 10080 },
+    };
+  }
+  await saveQuotaCache({ byAccountId, byEmail: {} });
+}
+`,
+      "utf8",
+    );
+
+    const runWorker = (workerId: number): Promise<void> =>
+      new Promise((resolve, reject) => {
+        const child = spawn(
+          process.execPath,
+          [
+            workerScriptPath,
+            moduleUrl,
+            tempDir,
+            String(workerId),
+            String(workerCount),
+            String(iterations),
+          ],
+          { stdio: ["ignore", "pipe", "pipe"] },
+        );
+        let stderr = "";
+        child.stderr.on("data", (chunk: Buffer) => {
+          stderr += chunk.toString("utf8");
+        });
+        child.on("error", reject);
+        child.on("exit", (code) => {
+          if (code === 0) {
+            resolve();
+            return;
+          }
+          reject(new Error(`quota worker ${workerId} exited with ${code}: ${stderr}`));
+        });
+      });
+
+    await Promise.all(Array.from({ length: workerCount }, (_, workerId) => runWorker(workerId)));
+
+    const loaded = await loadQuotaCache();
+    const keys = Object.keys(loaded.byAccountId).sort();
+    expect(keys).toEqual(["acc_0", "acc_1", "acc_2", "acc_3"]);
+    for (const key of keys) {
+      expect(loaded.byAccountId[key]?.model.startsWith("writer-")).toBe(true);
+      expect(typeof loaded.byAccountId[key]?.primary.usedPercent).toBe("number");
+    }
+  });
 });
diff --git a/test/secrets-crypto.test.ts b/test/secrets-crypto.test.ts
new file mode 100644
index 0000000..03f6653
--- /dev/null
+++ b/test/secrets-crypto.test.ts
@@ -0,0 +1,132 @@
+import { createCipheriv, createHash, randomBytes } from "node:crypto";
+import { describe, expect, it } from "vitest";
+import {
+	decryptSecret,
+	encryptSecret,
+	getSecretEncryptionKeysFromEnv,
+	isEncryptedSecret,
+} from "../lib/secrets-crypto.js";
+
+function createLegacyEncryptedSecret(value: string, keyMaterial: string): string {
+	const key = createHash("sha256").update(keyMaterial, "utf8").digest();
+	const iv = randomBytes(12);
+	const cipher = createCipheriv("aes-256-gcm", key, iv);
+	const encrypted = Buffer.concat([
+		cipher.update(Buffer.from(value, "utf8")),
+		cipher.final(),
+	]);
+	const tag = cipher.getAuthTag();
+	return `enc:v1:${iv.toString("base64")}:${tag.toString("base64")}:${encrypted.toString("base64")}`;
+}
+
+describe("secrets crypto", () => {
+	it("encrypts and decrypts with the primary key", () => {
+		const encrypted = encryptSecret("refresh-token-value", "primary-key");
+		expect(encrypted.startsWith("enc:v2:")).toBe(true);
+		expect(isEncryptedSecret(encrypted)).toBe(true);
+		const decrypted = decryptSecret(encrypted, {
+			primary: "primary-key",
+			previous: null,
+		});
+		expect(decrypted).toEqual({ value: "refresh-token-value", usedPreviousKey: false });
+	});
+
+	it("decrypts legacy v1 envelopes for backward compatibility", () => {
+		const encrypted = createLegacyEncryptedSecret("legacy-token", "legacy-key");
+		const decrypted = decryptSecret(encrypted, {
+			primary: "legacy-key",
+			previous: null,
+		});
+		expect(decrypted).toEqual({ value: "legacy-token", usedPreviousKey: false });
+	});
+
+	it("uses previous key when primary cannot decrypt", () => {
+		const encrypted = encryptSecret("access-token-value", "old-key");
+		const decrypted = decryptSecret(encrypted, {
+			primary: "new-key",
+			previous: "old-key",
+		});
+		expect(decrypted).toEqual({ value: "access-token-value", usedPreviousKey: true });
+	});
+
+	it("throws when no configured key can decrypt envelope", () => {
+		const encrypted = encryptSecret("secret", "correct-key");
+		expect(() =>
+			decryptSecret(encrypted, {
+				primary: "wrong-key",
+				previous: null,
+			}),
+		).toThrow("Unable to decrypt secret with configured keys");
+	});
+
+	it("recognizes legacy and current encrypted prefixes", () => {
+		expect(isEncryptedSecret("enc:v1:abc:def:ghi")).toBe(true);
+		expect(isEncryptedSecret("enc:v2:abc:def:ghi:jkl")).toBe(true);
+		expect(isEncryptedSecret("enc:v3:abc:def:ghi:jkl")).toBe(false);
+	});
+
+	it("re-encrypts malformed prefixed plaintext inputs", () => {
+		const malformed = "enc:v2:not-a-valid-envelope";
+		const encrypted = encryptSecret(malformed, "0123456789abcdef0123456789abcdef");
+		expect(encrypted).not.toBe(malformed);
+		expect(encrypted.startsWith("enc:v2:")).toBe(true);
+		const decrypted = decryptSecret(encrypted, {
+			primary: "0123456789abcdef0123456789abcdef",
+			previous: null,
+		});
+		expect(decrypted.value).toBe(malformed);
+	});
+
+	it("reads and trims encryption keys from env", () => {
+		const previousPrimary = process.env.CODEX_AUTH_ENCRYPTION_KEY;
+		const previousSecondary = process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+		try {
+			process.env.CODEX_AUTH_ENCRYPTION_KEY = "  0123456789abcdef0123456789abcdef  ";
+			process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY = "\tfedcba9876543210fedcba9876543210\n";
+			expect(getSecretEncryptionKeysFromEnv()).toEqual({
+				primary: "0123456789abcdef0123456789abcdef",
+				previous: "fedcba9876543210fedcba9876543210",
+			});
+		} finally {
+			if (previousPrimary === undefined) {
+				delete process.env.CODEX_AUTH_ENCRYPTION_KEY;
+			} else {
+				process.env.CODEX_AUTH_ENCRYPTION_KEY = previousPrimary;
+			}
+			if (previousSecondary === undefined) {
+				delete process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+			} else {
+				process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY = previousSecondary;
+			}
+		}
+	});
+
+	it("rejects weak key material from environment", () => {
+		const previousPrimary = process.env.CODEX_AUTH_ENCRYPTION_KEY;
+		const previousSecondary = process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+		try {
+			process.env.CODEX_AUTH_ENCRYPTION_KEY = "short";
+			delete process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+			expect(() => getSecretEncryptionKeysFromEnv()).toThrow(
+				"CODEX_AUTH_ENCRYPTION_KEY must contain at least 32 bytes of key material",
+			);
+
+			process.env.CODEX_AUTH_ENCRYPTION_KEY = "0123456789abcdef0123456789abcdef";
+			process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY = "tiny";
+			expect(() => getSecretEncryptionKeysFromEnv()).toThrow(
+				"CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY must contain at least 32 bytes of key material",
+			);
+		} finally {
+			if (previousPrimary === undefined) {
+				delete process.env.CODEX_AUTH_ENCRYPTION_KEY;
+			} else {
+				process.env.CODEX_AUTH_ENCRYPTION_KEY = previousPrimary;
+			}
+			if (previousSecondary === undefined) {
+				delete process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+			} else {
+				process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY = previousSecondary;
+			}
+		}
+	});
+});
diff --git a/test/storage-flagged.test.ts b/test/storage-flagged.test.ts
index 7fce9e1..8b7fce9 100644
--- a/test/storage-flagged.test.ts
+++ b/test/storage-flagged.test.ts
@@ -148,6 +148,42 @@ describe("flagged account storage", () => {
     expect(existsSync(legacyPath)).toBe(true);
   });
 
+  it("fails fast when flagged refresh token cannot be decrypted", async () => {
+    const previousEncryptionKey = process.env.CODEX_AUTH_ENCRYPTION_KEY;
+    const previousPreviousKey = process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+    try {
+      process.env.CODEX_AUTH_ENCRYPTION_KEY = "0123456789abcdef0123456789abcdef";
+      delete process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+      await saveFlaggedAccounts({
+        version: 1,
+        accounts: [
+          {
+            refreshToken: "encrypted-token-value",
+            flaggedAt: 1,
+            addedAt: 1,
+            lastUsed: 1,
+          },
+        ],
+      });
+
+      process.env.CODEX_AUTH_ENCRYPTION_KEY = "fedcba9876543210fedcba9876543210";
+      await expect(loadFlaggedAccounts()).rejects.toThrow(
+        "Failed to decrypt flagged refresh token",
+      );
+    } finally {
+      if (previousEncryptionKey === undefined) {
+        delete process.env.CODEX_AUTH_ENCRYPTION_KEY;
+      } else {
+        process.env.CODEX_AUTH_ENCRYPTION_KEY = previousEncryptionKey;
+      }
+      if (previousPreviousKey === undefined) {
+        delete process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+      } else {
+        process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY = previousPreviousKey;
+      }
+    }
+  });
+
   it("clears flagged storage and tolerates missing files", async () => {
     await saveFlaggedAccounts({
       version: 1,
diff --git a/test/storage.test.ts b/test/storage.test.ts
index 3c3157e..34bd41a 100644
--- a/test/storage.test.ts
+++ b/test/storage.test.ts
@@ -676,6 +676,42 @@ describe("storage", () => {
       expect(saved.version).toBe(3);
     });
 
+    it("fails fast when encrypted account storage cannot be decrypted", async () => {
+      const previousPrimary = process.env.CODEX_AUTH_ENCRYPTION_KEY;
+      const previousSecondary = process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+      try {
+        process.env.CODEX_AUTH_ENCRYPTION_KEY = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+        delete process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+        await saveAccounts({
+          version: 3,
+          activeIndex: 0,
+          activeIndexByFamily: {},
+          accounts: [
+            {
+              refreshToken: "refresh-token-sensitive",
+              accountId: "encrypted-account",
+              addedAt: Date.now(),
+              lastUsed: Date.now(),
+            },
+          ],
+        });
+
+        process.env.CODEX_AUTH_ENCRYPTION_KEY = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb";
+        await expect(loadAccounts()).rejects.toThrow("Failed to decrypt account storage");
+      } finally {
+        if (previousPrimary === undefined) {
+          delete process.env.CODEX_AUTH_ENCRYPTION_KEY;
+        } else {
+          process.env.CODEX_AUTH_ENCRYPTION_KEY = previousPrimary;
+        }
+        if (previousSecondary === undefined) {
+          delete process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY;
+        } else {
+          process.env.CODEX_AUTH_PREVIOUS_ENCRYPTION_KEY = previousSecondary;
+        }
+      }
+    });
+
     it("returns migrated data even when save fails (line 422-423 coverage)", async () => {
       const v1Storage = { 
         version: 1, 
@@ -1840,9 +1876,15 @@ describe("storage", () => {
     });
 
     it("logs error for non-ENOENT errors during clear", async () => {
-      const unlinkSpy = vi.spyOn(fs, "unlink").mockRejectedValue(
-        Object.assign(new Error("EACCES error"), { code: "EACCES" })
-      );
+      const realUnlink = fs.unlink.bind(fs);
+      const unlinkSpy = vi.spyOn(fs, "unlink").mockImplementation(async (targetPath) => {
+        const candidatePath = String(targetPath);
+        if (candidatePath.endsWith(".lock")) {
+          await realUnlink(targetPath);
+          return;
+        }
+        throw Object.assign(new Error("EACCES error"), { code: "EACCES" });
+      });
 
       await clearAccounts();
 
diff --git a/test/unified-settings.test.ts b/test/unified-settings.test.ts
index 6eff59e..686f76b 100644
--- a/test/unified-settings.test.ts
+++ b/test/unified-settings.test.ts
@@ -3,6 +3,27 @@ import { promises as fs } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 
+const RETRYABLE_REMOVE_CODES = new Set(["EBUSY", "EPERM", "ENOTEMPTY"]);
+
+async function removeWithRetry(
+	targetPath: string,
+	options: { recursive?: boolean; force?: boolean },
+): Promise<void> {
+	for (let attempt = 0; attempt < 6; attempt += 1) {
+		try {
+			await fs.rm(targetPath, options);
+			return;
+		} catch (error) {
+			const code = (error as NodeJS.ErrnoException).code;
+			if (code === "ENOENT") return;
+			if (!code || !RETRYABLE_REMOVE_CODES.has(code) || attempt === 5) {
+				throw error;
+			}
+			await new Promise((resolve) => setTimeout(resolve, 25 * 2 ** attempt));
+		}
+	}
+}
+
 describe("unified settings", () => {
 	let tempDir: string;
 	let originalDir: string | undefined;
@@ -20,7 +41,7 @@ describe("unified settings", () => {
 		} else {
 			process.env.CODEX_MULTI_AUTH_DIR = originalDir;
 		}
-		await fs.rm(tempDir, { recursive: true, force: true });
+		await removeWithRetry(tempDir, { recursive: true, force: true });
 	});
 
 	it("merges plugin and dashboard sections into one file", async () => {
@@ -225,6 +246,61 @@ describe("unified settings", () => {
 		});
 	});
 
+	it("acquires file lock before reading during plugin config updates", async () => {
+		vi.resetModules();
+		const lockState = { held: false };
+		const acquireFileLockMock = vi.fn(async () => {
+			lockState.held = true;
+			return {
+				path: "mock-settings.lock",
+				release: async () => {
+					lockState.held = false;
+				},
+			};
+		});
+		const acquireFileLockSyncMock = vi.fn(() => ({
+			path: "mock-settings.lock",
+			release: () => undefined,
+		}));
+		vi.doMock("../lib/file-lock.js", () => ({
+			acquireFileLock: acquireFileLockMock,
+			acquireFileLockSync: acquireFileLockSyncMock,
+		}));
+
+		try {
+			const { saveUnifiedPluginConfig, getUnifiedSettingsPath } = await import(
+				"../lib/unified-settings.js"
+			);
+			await fs.writeFile(
+				getUnifiedSettingsPath(),
+				JSON.stringify({
+					version: 1,
+					dashboardDisplaySettings: { menuShowLastUsed: false },
+				}),
+				"utf8",
+			);
+
+			const originalReadFile = fs.readFile.bind(fs);
+			let observedReadUnderLock = false;
+			const readSpy = vi.spyOn(fs, "readFile").mockImplementation(async (...args) => {
+				if (lockState.held) {
+					observedReadUnderLock = true;
+				}
+				return originalReadFile(...args);
+			});
+			try {
+				await saveUnifiedPluginConfig({ codexMode: true, retries: 2 });
+				expect(observedReadUnderLock).toBe(true);
+				expect(acquireFileLockMock).toHaveBeenCalledTimes(1);
+			} finally {
+				readSpy.mockRestore();
+			}
+		} finally {
+			vi.doUnmock("../lib/file-lock.js");
+			vi.resetModules();
+		}
+	});
+
 	it("refuses overwriting settings sections when a read fails", async () => {
 		const {
 			saveUnifiedPluginConfig,