diff --git a/Cargo.lock b/Cargo.lock
index a29558c..d1fbf72 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -375,6 +375,8 @@ name = "enclaveapp-cache"
 version = "0.1.0"
 dependencies = [
  "enclaveapp-core",
+ "fs4",
+ "sha2",
  "tempfile",
 ]
 
@@ -387,9 +389,11 @@ dependencies = [
  "libc",
  "serde",
  "serde_json",
+ "sha2",
  "thiserror",
  "toml 0.8.23",
  "tracing",
+ "windows",
 ]
 
 [[package]]
@@ -406,6 +410,7 @@ dependencies = [
  "serde",
  "serde_json",
  "sha2",
+ "zeroize",
 ]
 
 [[package]]
@@ -437,6 +442,7 @@ dependencies = [
  "serde",
  "serde_json",
  "sha2",
+ "zeroize",
 ]
 
 [[package]]
diff --git a/Cargo.toml b/Cargo.toml
index 4ed7f46..cb24914 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -63,7 +63,7 @@ aes-gcm = "0.10"
 elliptic-curve = { version = "0.13", features = ["sec1"] }
 
 # Windows
-windows = { version = "0.58", features = ["Win32_Security", "Win32_Security_Cryptography", "Win32_Foundation", "Security_Credentials_UI", "Foundation"] }
+windows = { version = "0.58", features = ["Win32_Security", "Win32_Security_Cryptography", "Win32_Foundation", "Win32_System_Threading", "Win32_System_SystemServices", "Security_Credentials_UI", "Foundation"] }
 
 # Linux TPM
 tss-esapi = "7"
diff --git a/DESIGN.md b/DESIGN.md
index 45788de..d553626 100644
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -82,7 +82,7 @@ It also centralizes WSL bridge lookup, access-policy handling, and app-specific
 
 Beyond the backends, a handful of crates provide cross-consumer utilities:
 
-- **`enclaveapp-app-adapter`** — generic secret-delivery substrate used by Type 1-3 apps. Provides `BindingStore`, `SecretStore`, the program resolver, the `execve()`-based launcher (with `mlock` + zeroize of env-override bytes), provenance tracking, state-locking, and `TempConfig::write` (with the per-platform `create_platform_config()` memfd/tempfile selection).
+- **`enclaveapp-app-adapter`** — generic secret-delivery substrate used by Type 1-3 apps. Provides `BindingStore`, `SecretStore` (with typed `SecretRead { Present, Redacted, Absent }` read path that replaces the string-sentinel `"<redacted>"` round-trip), the program resolver, the `execve()`-based launcher (with `mlock` + zeroize of env-override bytes, optional `with_env_scrub(patterns)` to remove matching inherited env vars from both child and parent, and per-child `RLIMIT_CORE = 0`), provenance tracking, state-locking, and `TempConfig::write` (with the per-platform `create_platform_config()` memfd/tempfile selection).
 - **`enclaveapp-cache`** — the shared on-disk cache file format (`[magic][version][flags][length-prefixed blobs]`). Consumed by sso-jwt's token cache and awsenc's credential cache.
 - **`enclaveapp-tpm-bridge`** — the shared bridge server crate; delegated to by the per-app bridge binaries.
 - **`enclaveapp-build-support`** — factored-out helpers for Windows `build.rs` resource compilation.
@@ -94,8 +94,12 @@ Beyond the backends, a handful of crates provide cross-consumer utilities:
 - `setrlimit(RLIMIT_CORE, 0)` on all Unix — no core dumps that could capture secret buffers.
 - `prctl(PR_SET_DUMPABLE, 0)` on Linux — `/proc/<pid>/mem` becomes root-only, `ptrace` attach from same-UID peers is denied.
 - `prctl(PR_SET_NO_NEW_PRIVS, 1)` on Linux — subsequent `exec*()` can't gain setuid/file-capabilities privileges.
+- `SetProcessMitigationPolicy` on Windows (safe subset):
+  - `ProcessStrictHandleCheckPolicy` with `RaiseExceptionOnInvalidHandleReference` + `HandleExceptionsPermanentlyEnabled` — turns handle-confusion bugs into `STATUS_INVALID_HANDLE` rather than silent misuse.
+  - `ProcessExtensionPointDisablePolicy` with `DisableExtensionPoints` — blocks AppInit_DLLs, shim engines, and other legacy DLL-injection extension points.
+  - `ProcessImageLoadPolicy` with `NoRemoteImages` + `NoLowMandatoryLabelImages` — refuses DLL loads from UNC paths and low-integrity files.
 
-See `crates/enclaveapp-core/src/process.rs`. `mlock_buffer` / `munlock_buffer` are exposed for consumer crates that want to pin specific byte buffers in RAM.
+See `crates/enclaveapp-core/src/process.rs`. `mlock_buffer` / `munlock_buffer` are exposed for consumer crates that want to pin specific byte buffers in RAM. Type 2 apps also clamp `RLIMIT_CORE = 0` on the **spawned child** via a `pre_exec` hook in `enclaveapp-app-adapter::launcher`, so a crash of the wrapped target (e.g. `npm`) cannot core-dump its secret-laden environment.
 
 ## Access policy model
 
@@ -180,7 +184,7 @@ Signing keys are long-lived identity keys (e.g., SSH keys). At Levels 1-3, the h
 
 | Level | Backend | Who signs? | Private key exportable? | User presence | Key storage |
 |:-----:|---------|-----------|:----------------------:|---------------|-------------|
-| **1** | macOS Secure Enclave | **The SE hardware.** `sshenc` sends data to the SE via CryptoKit; the SE performs ECDSA P-256 internally and returns the signature. The private key never exists outside the chip. Works for both signed and unsigned binaries on Apple Silicon. | **No** — impossible. Even root cannot extract it. The `dataRepresentation` on disk is an opaque SE handle (not key material); it is AES-256-GCM wrapped under a 32-byte key stored in the login Keychain (service `com.enclaveapp.<app>`, account `<label>`). File format `[EHW1 magic][nonce][ciphertext][tag]`. | Touch ID / biometric enforced by SE hardware per-signature (when access policy is set). | Secure Enclave coprocessor + Keychain-wrapped handle on disk (0600). |
+| **1** | macOS Secure Enclave | **The SE hardware.** `sshenc` sends data to the SE via CryptoKit; the SE performs ECDSA P-256 internally and returns the signature. The private key never exists outside the chip. Works for both signed and unsigned binaries on Apple Silicon. | **No** — impossible. Even root cannot extract it. The `dataRepresentation` on disk is an opaque SE handle (not key material); it is AES-256-GCM wrapped under a 32-byte key stored in the login Keychain (service `com.libenclaveapp.<app>`, account `<label>`). File format `[EHW1 magic][nonce][ciphertext][tag]`. | Touch ID / biometric enforced by SE hardware per-signature (when access policy is set). | Secure Enclave coprocessor + Keychain-wrapped handle on disk (0600). |
 | **2** | Windows TPM 2.0 | **The TPM hardware.** CNG sends signing requests to the TPM via NCrypt. | **No** — key is a non-exportable TPM object. | Windows Hello (biometric/PIN) enforced per-signature via `NCRYPT_UI_POLICY`. | TPM 2.0 chip. |
 | **3** | Linux TPM 2.0 | **The TPM hardware.** Signing performed by the TPM via `tss-esapi`. | **No** — key is TPM-resident. | Not enforced (no standard Linux biometric API). | TPM 2.0 device (`/dev/tpmrm0`). glibc only. |
 | **4** | Software (Linux glibc, keyring) | **Software.** The P-256 private key is decrypted from the keyring into memory and used for signing via the `p256` crate. | **Yes (encrypted at rest)** — P-256 private key on disk, encrypted via system keyring (D-Bus Secret Service / GNOME Keyring / KWallet). | Not enforced. | `~/.config/{app}/keys/` encrypted via keyring. |
@@ -208,7 +212,7 @@ The `com.apple.developer.secure-enclave` entitlement is a **Security.framework**
 
 **Handle protection for unsigned apps.** The SE's `dataRepresentation` is an opaque handle blob that allows the same device's SE to reconstruct the key reference. While the private key itself cannot be extracted from this blob, the blob is stored as a file on disk — and another process running as the same user could copy it and use it to request SE operations.
 
-**Implemented.** `generate_and_save_key` creates a fresh 32-byte AES-256 wrapping key per label, stores it in the login keychain as a `kSecClassGenericPassword` item (service `com.enclaveapp.<app>`, account `<label>`), AES-256-GCM encrypts the `dataRepresentation` under that key, and writes the sealed blob to `.handle` with the magic prefix `EHW1`. Format: `[magic(4)][nonce(12)][ciphertext][tag(16)]`. See `crates/enclaveapp-apple/src/keychain_wrap.rs`.
+**Implemented.** `generate_and_save_key` creates a fresh 32-byte AES-256 wrapping key per label, stores it in the login keychain as a `kSecClassGenericPassword` item (service `com.libenclaveapp.<app>`, account `<label>`), AES-256-GCM encrypts the `dataRepresentation` under that key, and writes the sealed blob to `.handle` with the magic prefix `EHW1`. Format: `[magic(4)][nonce(12)][ciphertext][tag(16)]`. See `crates/enclaveapp-apple/src/keychain_wrap.rs`.
 
 Legacy plaintext `.handle` files are accepted by `load_handle` for transparent migration; they re-wrap on the next rotation. `delete_key` removes the keychain entry alongside the on-disk artifacts.
 
@@ -339,16 +343,31 @@ Operators who install the bridge outside these locations must symlink into one o
 - `BRIDGE_SHUTDOWN_TIMEOUT = 5 s` after stdin close before the child is killed.
 - `BridgeSession::Drop` kills and reaps the child — no zombie processes.
 
-Authenticode / `WinVerifyTrust` verification on the resolved bridge binary is a tracked hardening gap for environments where the Windows host itself is semi-trusted.
+Before spawning the bridge binary, `require_bridge_is_authenticode_signed` (`crates/enclaveapp-bridge/src/client.rs`) parses the PE header's `IMAGE_DIRECTORY_ENTRY_SECURITY` slot and refuses binaries that carry no Authenticode signature block — so the "attacker replaces the admin-path install with their own `cargo build` exe" case fails closed. Full `WinVerifyTrust` chain verification is out of scope from the WSL side and is an acknowledged residual risk. Dev builds can opt out via `ENCLAVEAPP_BRIDGE_ALLOW_UNSIGNED=1`.
 
-## Credential cache file tamper
+Concurrent bridge calls from two threads in the same client process are serialized by a process-wide `BRIDGE_SESSION_LOCK: Mutex<()>` held across spawn → request → shutdown. Without it, two threads would fire two back-to-back Windows Hello prompts, contend for the same TPM key slot, and double-bill TPM op quota. Mutex poisoning is recovered with `into_inner()` so one crashed session does not wedge the client for the process lifetime.
 
-Credential caches are stored as `[header][AES-GCM ciphertext]` pairs on disk. The header (magic, version, flags, timestamps, risk level, optional session-expiration fields) is **not** authenticated by AAD — the `EncryptionStorage::encrypt` / `decrypt` trait does not currently accept associated data. A same-UID attacker with file-write access to the cache file can edit header fields without invalidating the ciphertext.
+## Credential cache file tamper + rollback
 
-Consumer-layer mitigations already neutralize the practical risk-level-downgrade threat:
+Credential caches on disk have an unencrypted header (magic, version, flags, timestamps, risk level, optional session-expiration fields) and an AES-GCM ciphertext. The ciphertext body is already tag-authenticated. Header fields and older-ciphertext replay are addressed by an app-layer envelope that wraps the plaintext before encryption:
 
-- **`max(header, config)` on read** — sso-jwt's `effective_cached_risk_level` (`sso-jwt-lib/src/cache.rs:57-59`) and awsenc's equivalent always clamp the effective risk level back up to the configured minimum. Editing the header down does nothing.
-- **Server-side expiration is authoritative** — STS credentials (`awsenc`) carry `Expiration`; JWTs (`sso-jwt`) carry `exp`. Header-rolled timestamps don't extend server acceptance.
-- **Payload-embedded timestamps** — both consumers recheck `session_start` / `token_iat` / `expiration` *after* decrypt, ignoring whatever the unencrypted header claims.
+- **Envelope format** (`crates/enclaveapp-cache/src/envelope.rs`):
+  `[4B "APL1"][32B SHA-256(header bytes)][8B BE u64 counter][payload]`
+  passed to `EncryptionStorage::encrypt`.
+- **Header binding.** `SHA-256` covers the exact unencrypted header bytes; tampering with any header field is detected on decrypt as an envelope hash mismatch. The trait signature did not change, so all backends (SE, CNG, Linux TPM, keyring, WSL bridge) inherit the protection uniformly.
+- **Rollback counter.** The 8-byte counter is bumped on every successful write and persisted in a sibling `<cache>.counter` sidecar guarded by an exclusive `fs4` flock. On decrypt, the embedded counter must be `>= sidecar`; older ciphertexts are rejected as `Rollback { observed, expected_at_least }`.
+- **Legacy-cache migration.** `unwrap_plaintext` accepts pre-envelope payloads (no `APL1` magic) as legacy with `counter = 0`. Existing installs continue to decrypt; the first write after upgrade lands in the new format.
 
-AAD binding the header to the ciphertext (a proper cryptographic fix) is deferred. It would require a trait signature change across all four backends (SE, CNG, keyring, test-software) plus every consumer, plus a one-time on-disk format migration. See `THREAT_MODEL.md` § "Credential cache header tamper" for the full rationale.
+Consumer-layer defenses layer on top:
+
+- **`max(header, config)` on read** — sso-jwt and awsenc always clamp the effective risk level to at least the configured minimum (defense-in-depth for pre-migration legacy caches).
+- **Server-side expiration is authoritative** — STS credentials carry `Expiration`; JWTs carry `exp`. Even a rolled-back ciphertext expires at the real server-side deadline.
+- **Payload-embedded timestamps** — both consumers recheck `session_start` / `token_iat` / `expiration` *after* decrypt.
+
+Residual risk: an attacker who can rewrite **both** the `.enc` cache and the `.counter` sidecar in sync can still replay within the server-side validity window. Same-UID write-access to the cache dir is a generic trust-boundary assumption.
+
+## Metadata `.meta` tamper
+
+`KeyMeta` JSON (type, access policy, app-specific fields) ships next to every key as `<label>.meta`. Hardware backends (Apple SE, Windows CNG, Linux TPM) fix the access policy at key-creation time inside the chip, so `.meta` tamper on those backends is a UI-deception risk only — signing still prompts for Touch ID / Windows Hello regardless of what the JSON claims.
+
+On the **software / keyring backend** the hardware does not re-enforce, so `.meta` tamper was a full policy-downgrade vector. `metadata::save_meta_with_hmac` / `load_meta_with_hmac` now write and verify a `<label>.meta.hmac` HMAC-SHA256 sidecar keyed by a per-app random 32-byte HMAC key stored in the system keyring under `com.libenclaveapp.<app>` / `__meta_hmac_key__`. `enclaveapp-app-storage::ensure_key` verifies the sidecar on Linux; a mismatch yields a hard `meta_hmac_verify` error and refuses to load the key. Pre-upgrade keys without a sidecar fall through to the plain `load_meta` path for migration and pick up the sidecar on next regeneration.
diff --git a/THREAT_MODEL.md b/THREAT_MODEL.md
index ee0029f..8213ba7 100644
--- a/THREAT_MODEL.md
+++ b/THREAT_MODEL.md
@@ -69,28 +69,29 @@ Hardware access policies (Touch ID, Windows Hello) are the only defense against
 
 The WSL→Windows bridge is a JSON-RPC channel over a child process's stdin/stdout. Beyond binary replacement (above), the following protocol-level threats are worth naming.
 
-- **Access-policy downgrade via legacy `biometric` field.** `BridgeRequest::params` (`crates/enclaveapp-bridge/src/protocol.rs`) accepts both the new `access_policy` enum and a legacy `biometric: bool` for backward compatibility. `effective_access_policy` reconciles them client-side. If a downgrade-attacker-controlled bridge server ignores `access_policy` and only reads `biometric`, a client that sends `BiometricOnly` could be silently served as `None`. Mitigation: ensure every deployed server honors `access_policy` when present.
-- **Method-name confusion (`delete` vs `destroy`).** `bridge_destroy` sends the wire method name `"delete"` for backward compatibility. An older bridge server that only implements `"destroy"` will return an unknown-method error, leaving stale key state. Mitigation: documented in-code; bridge servers should accept both aliases.
+- **Legacy `biometric: bool` field removed.** The `BridgeParams` wire type (`crates/enclaveapp-bridge/src/protocol.rs`) no longer carries a `biometric` field. `access_policy` is the only accepted encoding on the wire. A stray `biometric` key in a received payload is ignored by the deserializer and cannot influence the effective policy. This closes the silent-downgrade path where a bridge server that honored only `biometric` could serve a client's `BiometricOnly` request as `None`.
+- **Authenticode signature presence required.** Before spawning the bridge binary, `require_bridge_is_authenticode_signed` (`crates/enclaveapp-bridge/src/client.rs`) parses the PE header's `IMAGE_DIRECTORY_ENTRY_SECURITY` slot and refuses binaries with no signature block. This catches the "attacker replaced the admin-path install with an ad-hoc `cargo build` exe that ships no signature at all" case. Full chain verification still requires `WinVerifyTrust` on the Windows host side and is out of scope for the WSL-resident client; an admin-on-Windows replacement with a validly-signed-but-malicious binary is acknowledged as a residual risk. Opt out for dev builds via `ENCLAVEAPP_BRIDGE_ALLOW_UNSIGNED=1`.
+- **Method-name alias guarantee (`delete` ↔ `destroy`).** The bridge server (`crates/enclaveapp-tpm-bridge/src/lib.rs`) accepts both `"delete"` and `"destroy"` as synonyms for the same key-removal operation. The `bridge_destroy` client helper sends `"delete"` on the wire; a newer client talking to an older server-in-the-wild that only implemented `"destroy"` is the residual edge case. The `destroy_and_delete_are_aliases` test (`crates/enclaveapp-tpm-bridge/src/lib.rs`) locks the alias in as a compatibility guarantee — a future refactor that drops one name would fail the test rather than silently breaking mixed-version deployments.
 - **Accepted guarantees** now explicit in the model: 64 KB response cap (`MAX_BRIDGE_RESPONSE_BYTES`), connection-scoped child kill-on-drop (`BridgeSession::Drop`), and a configurable `ENCLAVEAPP_BRIDGE_TIMEOUT_SECS` read-line timeout.
 
 ### FFI trust boundaries
 
 Unsafe FFI surfaces are trusted by design but fragile.
 
-- **Swift ↔ Rust bridge** (`crates/enclaveapp-apple/src/ffi.rs` + `crates/enclaveapp-apple/swift/bridge.swift`). Out-buffer convention relies on the caller sizing buffers correctly; `SE_ERR_BUFFER_TOO_SMALL` return codes can mask unrelated errors if the Rust side assumes buffer sizing is the only failure mode. Any change to Swift bridge signatures requires a coordinated Rust FFI update.
-- **Windows CNG raw-pointer casts** (`crates/enclaveapp-windows/src/ui_policy.rs`). `NCRYPT_UI_POLICY` is passed to `NCryptSetProperty` via `&ui_policy as *const _ as *const u8` with a computed `size_of::<NCRYPT_UI_POLICY>()`. This is correct today but fragile to future struct layout changes.
+- **Swift ↔ Rust bridge** (`crates/enclaveapp-apple/src/ffi.rs` + `crates/enclaveapp-apple/swift/bridge.swift`). Out-buffer convention: the Swift side returns `SE_ERR_BUFFER_TOO_SMALL` **only** when a caller-supplied out-buffer is genuinely undersized and writes the required size to `*_len.pointee`. The Rust-side retry loop in `keychain.rs::generate_key_with_retry` enforces the contract strictly: it caps retries at `MAX_RESIZE_RETRIES = 4`, refuses to retry when the Swift-reported length does not grow past the buffer it sent, and rejects any post-call `pub_key_len > 65` as a contract violation. A Swift-side regression that starts returning `SE_ERR_BUFFER_TOO_SMALL` for a non-sizing condition now surfaces as a hard `GenerateFailed { detail: "Swift bridge contract violation" }` error instead of spinning in a retry loop or masking the real failure.
+- **Windows CNG raw-pointer casts** (`crates/enclaveapp-windows/src/ui_policy.rs`). `NCRYPT_UI_POLICY` is passed to `NCryptSetProperty` / `NCryptGetProperty` via `&policy as *const _ as *const u8` with a computed `size_of::<NCRYPT_UI_POLICY>()`. A module-level `const _: () = assert!(size_of::<NCRYPT_UI_POLICY>() == EXPECTED_NCRYPT_UI_POLICY_SIZE, ...)` fails the build if a future `windows-rs` release silently changes the struct layout (e.g. re-orders `LPCWSTR` fields or pads differently), preventing a `cbInput`-mismatch regression from landing silently.
 - **NCRYPT UI policy is re-verified before every sign/decrypt.** `ui_policy::verify_ui_policy_matches` reads the CNG key's actual `NCRYPT_UI_POLICY` via `NCryptGetProperty` and rejects the operation if the `UI_PROTECT_KEY_FLAG` does not match the metadata's `AccessPolicy`. Closes the attacker-planted-TPM-key bypass: an attacker who writes a TPM key with the expected CNG name but no UI protect flag no longer gets signatures without Windows Hello. Integration testing on real Windows TPM hardware is still a tracked follow-up.
 
 ### Keychain and key-backend-specific risks
 
-- **macOS `.handle` storage is AES-256-GCM wrapped under a Keychain-held key.** `generate_and_save_key` creates a fresh 32-byte wrapping key per label, stores it in the login keychain as a `kSecClassGenericPassword` item (service `com.enclaveapp.<app>`, account `<label>`), and writes the AES-GCM-sealed SE `dataRepresentation` to `.handle` (magic `EHW1`, format `[magic][nonce][ciphertext][tag]`). A same-UID attacker who copies the `.handle` file still needs the keychain-held wrapping key to replay SE operations — and the keychain's code-signature-bound ACL blocks access from a different binary, prompting the user on first use of a rebuilt binary. Legacy plaintext `.handle` files are accepted transparently for migration; they upgrade to wrapped format on the next rotation. See `crates/enclaveapp-apple/src/keychain_wrap.rs`.
+- **macOS `.handle` storage is AES-256-GCM wrapped under a Keychain-held key.** `generate_and_save_key` creates a fresh 32-byte wrapping key per label, stores it in the login keychain as a `kSecClassGenericPassword` item (service `com.libenclaveapp.<app>`, account `<label>`), and writes the AES-GCM-sealed SE `dataRepresentation` to `.handle` (magic `EHW1`, format `[magic][nonce][ciphertext][tag]`). A same-UID attacker who copies the `.handle` file still needs the keychain-held wrapping key to replay SE operations — and the keychain's code-signature-bound ACL blocks access from a different binary, prompting the user on first use of a rebuilt binary. Legacy plaintext `.handle` files are accepted transparently for migration; they upgrade to wrapped format on the next rotation. See `crates/enclaveapp-apple/src/keychain_wrap.rs`.
 - **Cross-binary Keychain access on macOS** for ad-hoc signed builds (Homebrew, `cargo build`) is controlled by binary hash; every rebuild invalidates the ACL and reprompts the user. This is the Keychain enforcing its ACL — it's now load-bearing because the wrapping key is what gates same-UID handle theft (above). Trusted signing identities eliminate the per-upgrade prompt.
 - **Keyring D-Bus peer trust.** The keyring backend talks to the session D-Bus Secret Service. A hostile session bus (another process running as the user that took over the bus) could intercept unlock / decrypt requests. Same-user already-compromised session; out of scope for the library.
 
 ### Filesystem races and metadata tamper
 
-- **No `O_NOFOLLOW` on metadata and handle reads.** Reads in `crates/enclaveapp-core/src/metadata.rs` and `crates/enclaveapp-apple/src/keychain.rs` use `std::fs::read`, which follows symlinks. A pre-planted symlink in the keys directory (same-UID attacker) can redirect a read or cause the library to parse an arbitrary file as key material. `atomic_write` uses `create_new` for the temp file (blocking symlink preemption of the temp), but the final `rename` target is not probed with `O_NOFOLLOW`.
-- **Unauthenticated `.meta` files.** `KeyMeta.access_policy` is stored as plain JSON (`crates/enclaveapp-core/src/metadata.rs`). A same-UID attacker who edits `<label>.meta` to flip `BiometricOnly` → `None` changes what library-level policy checks see, even though the hardware key's policy was fixed at creation. Effect is: misleading UI / app-level checks on SE/TPM, full bypass on software / keyring backends. This is the backend of the sshenc and awsenc notes on the same subject.
+- **Symlink-safe reads of metadata and handle files.** `metadata::read_no_follow` (`crates/enclaveapp-core/src/metadata.rs`) uses `O_NOFOLLOW` on Unix and a `symlink_metadata` pre-check on Windows. It is called from every key-material load path — Apple keychain handle reads (`crates/enclaveapp-apple/src/keychain.rs`), keyring-backend `.key` reads (`crates/enclaveapp-keyring/src/key_storage.rs`), Linux TPM `.pub`/`.priv` reads (`crates/enclaveapp-linux-tpm/src/tpm.rs`), and the shared `load_meta` path. A pre-planted symlink in the keys directory is refused with `ELOOP` rather than silently redirected.
+- **`.meta` HMAC sidecar on the keyring backend.** `metadata::save_meta_with_hmac` / `load_meta_with_hmac` write and verify a `<label>.meta.hmac` sidecar keyed by a per-app random HMAC key held in the system keyring (`enclaveapp_keyring::meta_hmac_key`). `enclaveapp-app-storage::ensure_key` verifies the sidecar on Linux and rejects HMAC-mismatched loads with `meta_hmac_verify` — a same-UID attacker who edits `<label>.meta` to flip `BiometricOnly` → `None` without also having keyring access is caught. Hardware backends (Apple SE / Windows CNG / Linux TPM) do not write the sidecar because the chip-enforced access policy is fixed at key-creation time and `.meta` tamper on those backends is a UI-deception risk only, not a policy bypass. The sidecar is absent for pre-upgrade keys — `load_meta_with_hmac` falls through to `load_meta` verbatim in that case, so existing installs migrate transparently on the next key regeneration.
 - **Binding-store / temp-config file creation.** Both `JsonFileBindingStore::write_all_unlocked` (`crates/enclaveapp-app-adapter/src/binding_store.rs`) and `TempConfig::write` (`crates/enclaveapp-app-adapter/src/temp_config.rs`) now create their files with `OpenOptions::mode(0o600)` at creation time (Unix), eliminating the prior default-umask window between `create` and `chmod`. On Windows, ACLs continue to inherit from the parent directory, which the install flow narrows.
 
 ### Concurrent access
@@ -106,9 +107,21 @@ Unsafe FFI surfaces are trusted by design but fragile.
   `fs4` flock and execute sequentially — no SE/TPM slot orphaning.
   `secret_store.rs` uses per-id shared/exclusive flocks for
   adapter-layer secret mutations.
-- **Bridge serialization.** Two WSL-side clients hitting the Windows
-  bridge concurrently depend on the server serializing requests.
-  Clients do not hold a mutex across bridge sessions.
+- **Bridge serialization — client-side lock.**
+  `crates/enclaveapp-bridge/src/client.rs` now holds a process-wide
+  `BRIDGE_SESSION_LOCK: Mutex<()>` across the full spawn→request→
+  shutdown lifetime of every bridge session. Two threads in the same
+  client process no longer race to spawn independent bridge children
+  against the same TPM, which would (a) fire Windows Hello twice
+  back-to-back, (b) contend for the server-side key slot, and (c)
+  double-bill TPM op quota. The server still serializes per-session;
+  the client-side lock just stops us from paying the spawn + prompt
+  cost twice. Poisoning from a prior panicked session is recovered
+  with `into_inner()` so one crashed session does not wedge the
+  client for the process's lifetime. The
+  `concurrent_call_bridge_serializes_via_session_lock` test locks in
+  the serialization semantics with two threads whose session
+  intervals are required to be non-overlapping.
 
 ### Process hardening scope
 
@@ -117,39 +130,47 @@ Unsafe FFI surfaces are trusted by design but fragile.
 - **All Unix:** `setrlimit(RLIMIT_CORE, 0)` — no core dumps.
 - **Linux:** `prctl(PR_SET_DUMPABLE, 0)` — `/proc/<pid>/mem` becomes root-only; `ptrace` attach from non-root peers is denied by the kernel even within the same UID.
 - **Linux:** `prctl(PR_SET_NO_NEW_PRIVS, 1)` — subsequent `exec*()` cannot gain setuid / file-capabilities privileges; shrinks the surface for wrapped-child-process escalation.
+- **Windows:** `SetProcessMitigationPolicy` applies a safe subset at startup:
+  - `ProcessStrictHandleCheckPolicy` with `RaiseExceptionOnInvalidHandleReference` + `HandleExceptionsPermanentlyEnabled` — turns latent handle-confusion bugs into `STATUS_INVALID_HANDLE` exceptions instead of silently operating on the wrong object.
+  - `ProcessExtensionPointDisablePolicy` with `DisableExtensionPoints` — blocks AppInit_DLLs, AppCertDlls, shim engines, IMEs, and winevent hooks from loading into the process, killing the most common unsigned-DLL-injection vector.
+  - `ProcessImageLoadPolicy` with `NoRemoteImages` + `NoLowMandatoryLabelImages` — refuses DLL loads from UNC paths and from files at the low-mandatory integrity label. Blocks the "drop a DLL onto a writable share and hijack LoadLibrary" pattern.
 
-Still not applied: `RLIMIT_AS`, seccomp-bpf system-call filtering, macOS `ptrace(PT_DENY_ATTACH)` (deprecated and fragile), and Windows `SetProcessMitigationPolicy`. Root can still dump memory unconditionally on any platform. Applications that want stricter memory protection must add their own mitigations on top.
+  Deliberately not applied: `BinarySignaturePolicy.MicrosoftSignedOnly` (breaks cargo-built unsigned apps), `DynamicCodePolicy` / ACG (breaks some JIT / crypto providers), `SystemCallDisablePolicy.DisallowWin32kSystemCalls` (breaks any process with a GUI surface). Each call is best-effort — failure on older Windows builds is logged via `tracing::warn!` and does not abort startup.
+
+Still not applied: `RLIMIT_AS`, seccomp-bpf system-call filtering, macOS `ptrace(PT_DENY_ATTACH)` (deprecated and fragile). Root can still dump memory unconditionally on any platform. Applications that want stricter memory protection must add their own mitigations on top.
 
 ### Zeroize coverage
 
-`zeroize` is applied to secret-bearing structures in the launcher (`crates/enclaveapp-app-adapter/src/launcher.rs`) and credential cache (`crates/enclaveapp-app-adapter/src/credential_cache.rs`). It is **not** applied to:
+`zeroize` is applied to secret-bearing structures in the launcher (`crates/enclaveapp-app-adapter/src/launcher.rs`), the credential cache (`crates/enclaveapp-app-adapter/src/credential_cache.rs`), and the keyring / software backends:
 
-- in-memory P-256 private-key bytes loaded from the keyring / software backend
-- intermediate signature / ECIES buffers
-- `mlock`ed handle bytes on macOS
+- **Keyring backend** (`crates/enclaveapp-keyring/src/key_storage.rs`): plaintext private-key byte buffers are returned as `Zeroizing<Vec<u8>>` from `load_private_key_bytes` and `decrypt_private_key`; the random KEK generated in `save_encrypted` is wrapped in `Zeroizing` after filling the intermediate array; `generate_and_save` holds its raw `secret_key.to_bytes()` as `Zeroizing`.
+- **Software (test) backend** (`crates/enclaveapp-test-software/src/key_storage.rs`): same pattern on the load/save paths.
+- **ECIES intermediate AES key** (`crates/enclaveapp-keyring/src/encrypt.rs`, `crates/enclaveapp-test-software/src/encrypt.rs`): `derive_key` now returns `Zeroizing<[u8; 32]>` so the AES-GCM symmetric key is wiped after each encrypt / decrypt operation.
 
-Consumer crates that care about tighter memory hygiene should wrap their own sensitive buffers. The SECURITY.md summary has been updated to reflect this.
+Still not wrapped: `mlock`ed handle bytes on macOS (tracked separately; the SE-side key never leaves the chip so the in-process `dataRepresentation` is opaque to us). Consumer crates that care about tighter memory hygiene on ciphertext buffers should wrap their own.
 
 ### App-adapter surface
 
-- **`<redacted>` sentinel.** `crates/enclaveapp-app-adapter/src/secret_store.rs` returns the literal string `"<redacted>"` from read-only stores to stand in for "we know a secret exists but won't hand it over." Consumers that propagate any non-empty return value as a secret will end up using the literal `"<redacted>"` as a password. Callers must compare against the `REDACTED_PLACEHOLDER` constant or adopt a typed return.
-- **Launcher env inheritance.** `Launcher::launch` forwards the parent process's full environment plus `env_overrides` to the child, then zeroizes only the env vars it added. Secrets already present in the parent env are propagated unchanged and are not wiped. Documented as an accepted constraint — env-bearing secrets inherited from callers are the caller's responsibility.
+- **Typed `SecretRead` return on the read path.** `SecretStore::get_read` returns a typed [`SecretRead`](../libenclaveapp/crates/enclaveapp-app-adapter/src/secret_store.rs) enum with `Present(String) | Redacted | Absent` variants. The read-only inspection store returns `Redacted` directly — it no longer round-trips through the `REDACTED_PLACEHOLDER` sentinel string, so a stored secret whose bytes happen to equal `"<redacted>"` is returned as `Present("<redacted>")` and cannot be misclassified as the sentinel. The legacy `SecretStore::get` is retained for back-compat and still produces `Some(REDACTED_PLACEHOLDER)` from the read-only store; new call sites use `get_read` and match on the enum. Callers that still consume `get` can use `is_redacted_placeholder` for the legacy compare, but the typed API is preferred.
+- **Launcher env inheritance — opt-in scrub.** The launcher still forwards the parent process's full environment plus `env_overrides` to the child by default; `env_overrides` are zeroized after the child exits. Callers that know their wrapped child would be better off without specific inherited env families can now opt in via `LaunchRequest::with_env_scrub(patterns)` (`crates/enclaveapp-app-adapter/src/launcher.rs`). Each pattern is either an exact variable name (`"NPM_TOKEN"`) or a `*`-suffixed prefix (`"NPM_TOKEN_*"`, `"AWS_*"`); matching variables are removed from both the child's `Command` and our own `std::env` via `remove_var`, and our owned `String` copies are zeroized before drop. This is additive to the existing `env_overrides` path — existing callers that don't set `env_scrub_patterns` behave identically. Secrets that *must* survive in the parent env (e.g. `SSH_AUTH_SOCK` for the launcher's own SSH ops) should simply be left out of the scrub pattern list. Type 2 consumers like `npmenc` can scrub inherited `NPM_TOKEN_*` to neutralise a developer-exported token getting picked up by the wrapped `npm` child.
 
-### Credential cache header tamper
+### Credential cache header tamper + rollback
 
-The cache header (version, magic, timestamps, risk level) in `crates/enclaveapp-app-adapter/src/credential_cache.rs` is unauthenticated. A same-UID attacker with file-write access can edit the header's risk level downward, which nominally extends the client-side `CredentialState` policy windows. The AES-GCM-protected body remains intact, so the attacker cannot decrypt the cached credential.
+The cache file's unencrypted header (magic, version, flags, app-specific timestamps) lives next to the encrypted payload in `awsenc-core/src/cache.rs` and `sso-jwt-lib/src/cache.rs`. Without binding, a same-UID attacker with file-write access could edit the header's risk level or expiration to extend client-side caching, and could replay an older valid ciphertext to roll back to a prior credential.
 
-**Mitigations actually in place today:**
+**Mitigations in place today:**
 
-- **Consumer-side `max(header, config)`.** sso-jwt's `effective_cached_risk_level` (`sso-jwt-lib/src/cache.rs:57-59`) and awsenc's equivalent always take the greater of the header-written risk level and the configured minimum. Header downgrade alone cannot reduce the effective risk level below the config.
-- **Server-side expiration is authoritative.** AWS STS credentials and SSO JWTs carry their own `Expiration` / `exp`; a rolled-back-header cache still expires at the real server-side time, not the header's.
-- **Payload-embedded timestamps.** sso-jwt embeds `token_iat` and `session_start` inside the encrypted payload; awsenc embeds credential `expiration` inside the encrypted `AwsCredentials` JSON. Both consumers recheck these after decrypt, ignoring the unencrypted header's version.
+- **Envelope-bound header + monotonic counter** (`crates/enclaveapp-cache/src/envelope.rs`). Plaintext handed to `EncryptionStorage::encrypt` is wrapped in `[4B "APL1"][32B SHA-256(header bytes)][8B BE u64 counter][payload]`. The SHA-256 covers the exact unencrypted header bytes — any post-encryption header edit is detected on decrypt. The 8-byte counter is read from a sibling `<cache>.counter` sidecar protected by an exclusive `fs4` flock, bumped on every successful write, and verified `>= sidecar` on every successful read. Older-ciphertext replay is rejected as `Rollback { observed, expected_at_least }`. The envelope is transparent to the `EncryptionStorage` backend — the trait signature did not change, so all backends (Secure Enclave, CNG, Linux TPM, keyring, WSL bridge) get the protection uniformly.
+- **Legacy-cache migration.** `unwrap_plaintext` accepts payloads without the `APL1` magic as pre-envelope caches (returned with `counter = 0`). Existing user installs continue to work; the first write after upgrading the binary puts them into the new format.
+- **Consumer-side `max(header, config)`.** sso-jwt's `effective_cached_risk_level` (`sso-jwt-lib/src/cache.rs`) and awsenc's equivalent always take the greater of the header-written risk level and the configured minimum. Defense-in-depth even in the pre-migration legacy window.
+- **Server-side expiration is authoritative.** AWS STS credentials and SSO JWTs carry their own `Expiration` / `exp`; a rolled-back-header cache still expires at the real server-side time.
+- **Payload-embedded timestamps.** sso-jwt embeds `token_iat` and `session_start` inside the encrypted payload; awsenc embeds credential `expiration` inside the encrypted `AwsCredentials` JSON. Both consumers recheck these after decrypt.
 
-**Not implemented (noted but deferred):** AES-GCM AAD binding of the header to the ciphertext. The cleanest construction would be to thread the full serialized header bytes into the `EncryptionStorage::encrypt` / `decrypt` path as additional authenticated data — any header edit would then fail decryption. Implementing it requires a trait signature change across all four backends (SE, CNG, keyring, software) and every consumer, plus an on-disk format break for the pre-AAD ciphertexts. Given the mitigations above already neutralize the practical risk level downgrade, this is tracked as future work rather than an active gap.
+**Residual risk:** an attacker with write access to both the `.enc` cache and the `.counter` sidecar can still roll back, but only within the ciphertext's own validity window (server enforces `exp`). Deletion of the sidecar does not help the attacker — `next_counter(sidecar, prior_observed)` takes the max, so a decrypt of the current good cache re-seeds `prior_observed` and a subsequent write still bumps forward.
 
 ### Build-time trust
 
-`crates/enclaveapp-apple/build.rs` invokes `xcrun`, `swiftc`, and `ar` from the developer's `$PATH` with no pinning or signature verification. Build-environment PATH compromise substitutes the Swift object that ends up statically linked into the binary. This is a developer-machine concern, not a user-runtime concern, but worth an explicit note so release tooling can pin to fixed toolchain paths in CI.
+`crates/enclaveapp-apple/build.rs` now invokes the system `xcrun` at its absolute path `/usr/bin/xcrun` (system-managed, not user-writable without sudo) and discovers `swiftc` and `ar` via `xcrun --find <tool>` — the resolved paths sit inside the active Xcode developer directory (`xcode-select -p`) rather than walking `$PATH`. A shadowed `xcrun` / `swiftc` / `ar` earlier on the developer's `$PATH` can no longer substitute a poisoned Swift object into the static bridge that ends up linked into the binary. Release-tooling PATH hygiene is no longer load-bearing for this crate. Other build-environment concerns (Cargo registry, rustc toolchain, linker) remain a general developer-machine trust assumption.
 
 ## What we explicitly don't protect against
 
@@ -182,6 +203,6 @@ Additional behavior:
 
 **Entitled Secure Enclave path not enabled.** Storing SE keys directly as Keychain items via `SecKeyCreateRandomKey` + `kSecAttrTokenIDSecureEnclave` + `kSecAttrIsPermanent: true` would remove the `.handle` file entirely. It requires `keychain-access-groups`, which is an AMFI-restricted entitlement that needs a provisioning profile — even a valid Apple Development cert without a matching profile causes AMFI to kill the binary with error `-413`. This path is only viable for App Store / Enterprise / Xcode-provisioned distribution and is not available for Homebrew or `cargo install` builds. The current Path-2 implementation (AES-GCM-wrapped `.handle` + Keychain-held wrapping key) is the hardening target for unsigned distribution.
 
-**WSL bridge:** Communicates over stdin/stdout of a child process. The client (`crates/enclaveapp-bridge/src/client.rs`) discovers the bridge only from a fixed-path list under `/mnt/c/Program Files/<app>/` and `/mnt/c/ProgramData/<app>/`. Replacing the binary at those paths requires Windows admin rights. The previous `which`-based PATH fallback was removed — a user-writable `$PATH` entry on the WSL side could otherwise substitute a malicious bridge binary. Request/response size is capped at 64 KB, the child is reaped via `BridgeSession::Drop`, and reads are bounded. There is still no Authenticode / `WinVerifyTrust` check on the resolved bridge binary; adding one is a tracked hardening gap for environments where the Windows host itself is semi-trusted.
+**WSL bridge:** Communicates over stdin/stdout of a child process. The client (`crates/enclaveapp-bridge/src/client.rs`) discovers the bridge only from a fixed-path list under `/mnt/c/Program Files/<app>/` and `/mnt/c/ProgramData/<app>/`. Replacing the binary at those paths requires Windows admin rights. The `which`-based PATH fallback was removed — a user-writable `$PATH` entry on the WSL side could otherwise substitute a malicious bridge binary. Request/response size is capped at 64 KB, the child is reaped via `BridgeSession::Drop`, and reads are bounded. Before spawn, `require_bridge_is_authenticode_signed` parses the PE header's security data directory and refuses to spawn a binary with no Authenticode signature block (opt-out: `ENCLAVEAPP_BRIDGE_ALLOW_UNSIGNED=1`). Full chain verification is out of scope from the WSL side — a validly-signed-but-malicious binary planted by a Windows admin is an acknowledged residual risk.
 
 **Keyring backend:** Exists for Linux without TPM. Strictly weaker than hardware backends. Any same-user process can access the keyring. No biometric enforcement. The keyring must be running; if not, the app errors rather than falling back to plaintext.
diff --git a/crates/enclaveapp-app-adapter/src/launcher.rs b/crates/enclaveapp-app-adapter/src/launcher.rs
index 1899cfe..2fdb921 100644
--- a/crates/enclaveapp-app-adapter/src/launcher.rs
+++ b/crates/enclaveapp-app-adapter/src/launcher.rs
@@ -10,6 +10,106 @@ pub struct LaunchRequest {
     pub args: Vec<String>,
     pub env_overrides: BTreeMap<String, String>,
     pub env_removals: Vec<String>,
+    /// Inherited env vars to scrub from the child process's environment
+    /// before spawn.
+    ///
+    /// Each entry is either an exact variable name (e.g. `"NPM_TOKEN"`)
+    /// or a prefix pattern ending in `*` (e.g. `"NPM_TOKEN_*"`,
+    /// `"AWS_*"`). The launcher removes the matching variable from the
+    /// child command via `env_remove`, zeroizes our own process's copy
+    /// via `std::env::remove_var` (best-effort — the libc environ block
+    /// may still hold stale bytes until libc compacts), and never
+    /// forwards the value.
+    ///
+    /// This is opt-in. The threat model addressed: inherited parent-env
+    /// secrets (e.g. a developer with `NPM_TOKEN` already exported at
+    /// login) would otherwise be propagated to the wrapped child
+    /// unchanged, bypassing the `env_overrides` zeroize-on-drop. Type 2
+    /// consumers (`npmenc`, etc.) that know which variable families
+    /// could carry secrets should list them here.
+    pub env_scrub_patterns: Vec<String>,
+}
+
+impl LaunchRequest {
+    /// Add env-scrub patterns to this request. Chains with other
+    /// builder-style usage; patterns are appended to any already set.
+    #[must_use]
+    pub fn with_env_scrub<I, S>(mut self, patterns: I) -> Self
+    where
+        I: IntoIterator<Item = S>,
+        S: Into<String>,
+    {
+        self.env_scrub_patterns
+            .extend(patterns.into_iter().map(Into::into));
+        self
+    }
+}
+
+/// Return `true` if `key` matches any pattern in `patterns`.
+///
+/// A pattern ending in `*` is a prefix match; everything else is an
+/// exact name match. Empty patterns never match. Case-sensitive on
+/// Unix; case-insensitive on Windows because Windows env names are
+/// case-insensitive.
+fn matches_scrub_pattern(key: &str, patterns: &[String]) -> bool {
+    for pat in patterns {
+        if pat.is_empty() {
+            continue;
+        }
+        let matched = if let Some(prefix) = pat.strip_suffix('*') {
+            env_key_starts_with(key, prefix)
+        } else {
+            env_key_eq(key, pat)
+        };
+        if matched {
+            return true;
+        }
+    }
+    false
+}
+
+#[cfg(windows)]
+fn env_key_eq(a: &str, b: &str) -> bool {
+    a.eq_ignore_ascii_case(b)
+}
+
+#[cfg(not(windows))]
+fn env_key_eq(a: &str, b: &str) -> bool {
+    a == b
+}
+
+#[cfg(windows)]
+fn env_key_starts_with(key: &str, prefix: &str) -> bool {
+    key.len() >= prefix.len() && key[..prefix.len()].eq_ignore_ascii_case(prefix)
+}
+
+#[cfg(not(windows))]
+fn env_key_starts_with(key: &str, prefix: &str) -> bool {
+    key.starts_with(prefix)
+}
+
+/// Apply `env_scrub_patterns` to the child `command` and to our own
+/// process environment: remove matching variables from both, zeroizing
+/// the owned `String` copies we pull out of `std::env::vars()`.
+fn apply_env_scrub(command: &mut Command, patterns: &[String]) {
+    if patterns.is_empty() {
+        return;
+    }
+    let matching_keys: Vec<String> = std::env::vars()
+        .map(|(k, mut v)| {
+            // Zeroize the value string's bytes in place before it
+            // drops. These are our process's own copies.
+            zeroize_str(&mut v);
+            k
+        })
+        .filter(|k| matches_scrub_pattern(k, patterns))
+        .collect();
+    for key in matching_keys {
+        command.env_remove(&key);
+        // Best-effort scrub of our own process env so any later
+        // subprocess spawned without `env_clear` does not re-inherit.
+        std::env::remove_var(&key);
+    }
 }
 
 /// Execute a launch request, spawning the target process.
@@ -18,6 +118,15 @@ pub struct LaunchRequest {
 /// them from being paged to swap. After the child exits, the values are
 /// zeroized in-place and then unlocked.
 ///
+/// On Unix, the spawned child has `RLIMIT_CORE` clamped to 0 via a `pre_exec`
+/// hook so that a crash of the target process cannot dump its environment
+/// (which holds the secrets interpolated for Type 2 delivery). The parent
+/// process's own core-dump policy is independent.
+///
+/// Inherited env vars matching any `env_scrub_patterns` entry are removed
+/// from both the child's command and the parent's own process environment
+/// before spawn.
+///
 /// Takes ownership of the `LaunchRequest` so that `env_overrides` values
 /// (which may contain secrets) can be overwritten with zeros after the
 /// child process exits. Callers that need the request afterwards should
@@ -36,10 +145,16 @@ pub fn run(mut request: LaunchRequest) -> Result<ExitStatus> {
         command.env_remove(key);
     }
 
+    // Scrub inherited secret env vars before applying overrides so an
+    // accidentally-overlapping override still wins over the scrub.
+    apply_env_scrub(&mut command, &request.env_scrub_patterns);
+
     for (key, value) in &request.env_overrides {
         command.env(key, value);
     }
 
+    disable_core_dumps_in_child(&mut command);
+
     let status = command.status()?;
 
     // Zeroize secret env var values, then unlock.
@@ -51,6 +166,32 @@ pub fn run(mut request: LaunchRequest) -> Result<ExitStatus> {
     Ok(status)
 }
 
+#[cfg(unix)]
+fn disable_core_dumps_in_child(command: &mut Command) {
+    use std::os::unix::process::CommandExt;
+
+    #[allow(unsafe_code)]
+    unsafe {
+        command.pre_exec(|| {
+            let limit = libc::rlimit {
+                rlim_cur: 0,
+                rlim_max: 0,
+            };
+            // Errors from setrlimit here are non-fatal — the spawn still proceeds
+            // and the OS-level core_pattern may already block dumps. We don't
+            // propagate errors to avoid refusing to launch on unusual systems.
+            let _ = libc::setrlimit(libc::RLIMIT_CORE, &limit);
+            Ok(())
+        });
+    }
+}
+
+#[cfg(not(unix))]
+fn disable_core_dumps_in_child(_command: &mut Command) {
+    // Windows does not have RLIMIT_CORE. WER crash-dump collection is a
+    // system-wide policy; child-process-local opt-out is not available.
+}
+
 /// Overwrite the contents of a string with zeros without deallocating.
 fn zeroize_str(s: &mut str) {
     // Safety: filling the existing UTF-8 bytes with 0 is valid UTF-8 (all NUL).
@@ -73,4 +214,112 @@ mod tests {
         assert!(s.bytes().all(|b| b == 0));
         assert_eq!(s.len(), 12);
     }
+
+    #[cfg(unix)]
+    #[test]
+    fn child_inherits_zero_core_limit() {
+        use std::process::Command;
+        let mut cmd = Command::new("/bin/sh");
+        cmd.args(["-c", "ulimit -c"]);
+        disable_core_dumps_in_child(&mut cmd);
+        let output = cmd.output().expect("spawn sh");
+        let stdout = String::from_utf8_lossy(&output.stdout);
+        assert_eq!(stdout.trim(), "0", "child should inherit core limit of 0");
+    }
+
+    #[test]
+    fn matches_scrub_pattern_exact() {
+        let pats = vec!["NPM_TOKEN".into()];
+        assert!(matches_scrub_pattern("NPM_TOKEN", &pats));
+        assert!(!matches_scrub_pattern("NPM_TOKEN_2", &pats));
+        assert!(!matches_scrub_pattern("OTHER", &pats));
+    }
+
+    #[test]
+    fn matches_scrub_pattern_prefix() {
+        let pats = vec!["NPM_TOKEN_*".into(), "AWS_*".into()];
+        assert!(matches_scrub_pattern("NPM_TOKEN_", &pats));
+        assert!(matches_scrub_pattern("NPM_TOKEN_REGISTRY", &pats));
+        assert!(matches_scrub_pattern("AWS_ACCESS_KEY_ID", &pats));
+        assert!(!matches_scrub_pattern("NPM_OTHER", &pats));
+        assert!(!matches_scrub_pattern("GITHUB_TOKEN", &pats));
+    }
+
+    #[test]
+    fn matches_scrub_pattern_empty_never_matches() {
+        let pats = vec![String::new(), "*".into()];
+        // Empty pattern doesn't match. A bare `*` is a prefix-match
+        // with empty prefix, which matches EVERYTHING — that's by design
+        // (callers who want to scrub the whole env can use it).
+        assert!(!matches_scrub_pattern("FOO", &[String::new()]));
+        assert!(matches_scrub_pattern("FOO", &pats));
+    }
+
+    #[test]
+    fn with_env_scrub_appends_patterns() {
+        use crate::types::ResolutionStrategy;
+        let req = LaunchRequest {
+            program: ResolvedProgram {
+                path: "/bin/true".into(),
+                fixed_args: vec![],
+                strategy: ResolutionStrategy::ExplicitPath,
+                shell_hint: None,
+            },
+            args: vec![],
+            env_overrides: BTreeMap::new(),
+            env_removals: vec![],
+            env_scrub_patterns: vec!["EXISTING".into()],
+        };
+        let req = req.with_env_scrub(["NEW_*", "ANOTHER"]);
+        assert_eq!(req.env_scrub_patterns, vec!["EXISTING", "NEW_*", "ANOTHER"]);
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn scrub_removes_inherited_env_from_child_and_own_process() {
+        // Set a "secret-looking" env var + a non-matching keeper, scrub
+        // the secret via a prefix pattern, verify the child sees only
+        // the keeper and our own process no longer has the secret.
+        let marker = format!("ENCLAVEAPP_SCRUB_TEST_{}_", std::process::id());
+        let scrub_key = format!("{marker}TOKEN");
+        let keep_key = format!("{marker}KEEP");
+        std::env::set_var(&scrub_key, "matched-by-test");
+        std::env::set_var(&keep_key, "KEPT");
+
+        // Only the TOKEN suffix matches the pattern; KEEP should survive.
+        let prefix_pattern = format!("{marker}T*");
+
+        // Child prints both vars so we can confirm delivery / absence.
+        let script = format!(
+            "echo scrub=[${scrub_key}] keep=[${keep_key}]",
+            scrub_key = scrub_key,
+            keep_key = keep_key,
+        );
+        let mut cmd = Command::new("/bin/sh");
+        cmd.args(["-c", &script]);
+
+        apply_env_scrub(&mut cmd, &[prefix_pattern]);
+
+        let output = cmd.output().expect("spawn sh");
+        let stdout = String::from_utf8_lossy(&output.stdout);
+        assert!(
+            stdout.contains("scrub=[]"),
+            "scrubbed var leaked to child: {stdout}"
+        );
+        assert!(
+            stdout.contains("keep=[KEPT]"),
+            "kept var did not reach child: {stdout}"
+        );
+        assert!(
+            std::env::var(&scrub_key).is_err(),
+            "scrubbed var still present in our own env"
+        );
+        assert_eq!(
+            std::env::var(&keep_key).as_deref().ok(),
+            Some("KEPT"),
+            "kept var disappeared from our own env"
+        );
+
+        std::env::remove_var(&keep_key);
+    }
 }
diff --git a/crates/enclaveapp-app-adapter/src/lib.rs b/crates/enclaveapp-app-adapter/src/lib.rs
index 6cb3723..a17b122 100644
--- a/crates/enclaveapp-app-adapter/src/lib.rs
+++ b/crates/enclaveapp-app-adapter/src/lib.rs
@@ -59,7 +59,7 @@ pub use provenance::{
 pub use resolver::{resolve_program, ResolveMode, ResolveOptions};
 pub use secret_store::{
     is_redacted_placeholder, EncryptedFileSecretStore, MemorySecretStore,
-    ReadOnlyEncryptedFileSecretStore, SecretStore, REDACTED_PLACEHOLDER,
+    ReadOnlyEncryptedFileSecretStore, SecretRead, SecretStore, REDACTED_PLACEHOLDER,
 };
 pub use state_lock::{with_state_lock, with_state_lock_read_only};
 pub use temp_config::TempConfig;
diff --git a/crates/enclaveapp-app-adapter/src/prepare_launch.rs b/crates/enclaveapp-app-adapter/src/prepare_launch.rs
index 5c818a5..13b820b 100644
--- a/crates/enclaveapp-app-adapter/src/prepare_launch.rs
+++ b/crates/enclaveapp-app-adapter/src/prepare_launch.rs
@@ -148,6 +148,7 @@ fn prepare_without_temp(
             args: launch_args,
             env_overrides,
             env_removals: Vec::new(),
+            env_scrub_patterns: Vec::new(),
         },
         temp_config_path: None,
         temp_config: None,
@@ -188,6 +189,7 @@ fn prepare_with_temp(
             args,
             env_overrides,
             env_removals: Vec::new(),
+            env_scrub_patterns: Vec::new(),
         },
         temp_config_path: Some(temp_path),
         temp_config: Some(temp_config),
diff --git a/crates/enclaveapp-app-adapter/src/secret_store.rs b/crates/enclaveapp-app-adapter/src/secret_store.rs
index 071157c..efc7487 100644
--- a/crates/enclaveapp-app-adapter/src/secret_store.rs
+++ b/crates/enclaveapp-app-adapter/src/secret_store.rs
@@ -18,33 +18,99 @@ use crate::binding_store::app_data_dir;
 use crate::error::{AdapterError, Result};
 use crate::types::BindingId;
 
-/// Placeholder value returned by read-only secret stores instead of the
-/// actual secret.  Consumers that need to distinguish "secret exists but
-/// cannot be read" from a real value **must** use [`is_redacted_placeholder`]
-/// rather than a bare `==` comparison — the function performs a
-/// constant-time byte compare and centralizes the collision-risk
-/// surface on a single helper that can be upgraded to a typed return
-/// type without touching every call site.
+/// Placeholder value returned by the legacy [`SecretStore::get`] method
+/// from read-only secret stores instead of the actual secret.
+///
+/// **Prefer [`SecretStore::get_read`]**, which returns a typed
+/// [`SecretRead`] enum and cannot be confused with a real secret whose
+/// bytes happen to equal this literal. The constant is retained for the
+/// old `get` path and for back-compat with persisted state (npmenc
+/// stores per-binding token-source state strings that may literally be
+/// `"<redacted>"` after a `show --raw` export).
 pub const REDACTED_PLACEHOLDER: &str = "<redacted>";
 
-/// Check whether a secret-store string return is the redaction sentinel.
+/// Check whether a legacy string return is the redaction sentinel.
 ///
-/// The sentinel collides semantically with any real secret whose value
-/// happens to equal the literal string `"<redacted>"`. That's a
-/// vanishingly unlikely collision for npm tokens (which begin with
-/// `npm_`) or SSO JWTs (which are base64-encoded with `.` separators),
-/// but the library cannot prove it can never happen. Using this helper
-/// keeps the single comparison site canonical — a future migration to
-/// a typed `SecretMaterialization` enum can swap this function's body
-/// without breaking call-site ergonomics.
+/// Equivalent to `value == REDACTED_PLACEHOLDER`. New code should
+/// compare against [`SecretRead::Redacted`] instead — this helper is
+/// kept for call sites that still consume the legacy
+/// [`SecretStore::get`] result.
 #[must_use]
 pub fn is_redacted_placeholder(value: &str) -> bool {
     value == REDACTED_PLACEHOLDER
 }
 
+/// Typed outcome of reading a secret from a [`SecretStore`].
+///
+/// Callers that distinguish "secret exists but cannot be read" from
+/// "secret present" should match on this enum instead of inspecting a
+/// string. The [`Present`](SecretRead::Present) variant owns the
+/// plaintext; [`Redacted`](SecretRead::Redacted) carries no material;
+/// [`Absent`](SecretRead::Absent) means nothing was stored.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum SecretRead {
+    /// Secret material was successfully read.
+    Present(String),
+    /// A value is stored for this id but the store will not hand it over
+    /// — for example the read-only inspection store that knows an entry
+    /// exists but intentionally refuses to decrypt.
+    Redacted,
+    /// No entry is stored for this id.
+    Absent,
+}
+
+impl SecretRead {
+    /// True if the variant is `Present`.
+    #[must_use]
+    pub fn is_present(&self) -> bool {
+        matches!(self, SecretRead::Present(_))
+    }
+
+    /// True if the variant is `Redacted`.
+    #[must_use]
+    pub fn is_redacted(&self) -> bool {
+        matches!(self, SecretRead::Redacted)
+    }
+
+    /// True if the variant is `Absent`.
+    #[must_use]
+    pub fn is_absent(&self) -> bool {
+        matches!(self, SecretRead::Absent)
+    }
+
+    /// Consume and return the plaintext if `Present`, else `None`.
+    /// Redacted is mapped to `None` — callers that need to distinguish
+    /// redaction from absence must match on the enum directly.
+    #[must_use]
+    pub fn into_present(self) -> Option<String> {
+        match self {
+            SecretRead::Present(s) => Some(s),
+            SecretRead::Redacted | SecretRead::Absent => None,
+        }
+    }
+}
+
 pub trait SecretStore {
     fn set(&self, id: &BindingId, secret: &str) -> Result<()>;
+
+    /// Legacy string-return read. Kept for back-compat. Prefer
+    /// [`get_read`](SecretStore::get_read), which returns a typed
+    /// [`SecretRead`] and cannot be confused with a real secret whose
+    /// bytes equal [`REDACTED_PLACEHOLDER`].
     fn get(&self, id: &BindingId) -> Result<Option<String>>;
+
+    /// Typed-return read. Default implementation forwards to `get` and
+    /// maps `Some("<redacted>")` → [`SecretRead::Redacted`]. Store
+    /// implementations that can distinguish present-vs-redacted
+    /// natively should override to avoid the string-sentinel round-trip.
+    fn get_read(&self, id: &BindingId) -> Result<SecretRead> {
+        match self.get(id)? {
+            Some(value) if value == REDACTED_PLACEHOLDER => Ok(SecretRead::Redacted),
+            Some(value) => Ok(SecretRead::Present(value)),
+            None => Ok(SecretRead::Absent),
+        }
+    }
+
     fn delete(&self, id: &BindingId) -> Result<bool>;
 }
 
@@ -224,6 +290,18 @@ impl SecretStore for EncryptedFileSecretStore {
             Ok(true)
         })
     }
+
+    fn get_read(&self, id: &BindingId) -> Result<SecretRead> {
+        // The encrypted store always returns real plaintext via `get`,
+        // so Present is the only non-Absent outcome. A real secret that
+        // happens to equal `"<redacted>"` in bytes is returned as
+        // `Present("<redacted>")` here — *not* as `Redacted` — so the
+        // typed API is collision-free on read-write stores.
+        Ok(match self.get(id)? {
+            Some(value) => SecretRead::Present(value),
+            None => SecretRead::Absent,
+        })
+    }
 }
 
 impl SecretStore for ReadOnlyEncryptedFileSecretStore {
@@ -249,17 +327,60 @@ impl SecretStore for ReadOnlyEncryptedFileSecretStore {
             "read-only secret store cannot delete `{id:?}`"
         )))
     }
+
+    fn get_read(&self, id: &BindingId) -> Result<SecretRead> {
+        // Bypass the string sentinel — report Redacted directly so a
+        // stored secret whose bytes are literally `"<redacted>"` can
+        // still be distinguished from "exists but not handed over."
+        if !self.dir.exists() {
+            return Ok(SecretRead::Absent);
+        }
+        if !self.path_for(id).exists() {
+            return Ok(SecretRead::Absent);
+        }
+        Ok(SecretRead::Redacted)
+    }
+}
+
+/// Per-id outcome that the in-memory store will report.
+///
+/// `Material(String)` is the normal path — real plaintext stored and
+/// returned. `Redacted` is an explicit inspection simulation: `get`
+/// returns `Some(REDACTED_PLACEHOLDER)` for legacy callers, `get_read`
+/// returns `SecretRead::Redacted`. Tests that want to exercise the
+/// redacted-state code path should use
+/// [`MemorySecretStore::mark_redacted`] rather than writing the
+/// sentinel string via `set` — writing the sentinel via `set` now
+/// round-trips as `Present(<redacted>)` through the typed API, per
+/// the design that makes the sentinel collision-free.
+#[derive(Debug, Clone)]
+enum MemoryEntry {
+    Material(String),
+    Redacted,
 }
 
 #[derive(Debug, Default)]
 pub struct MemorySecretStore {
-    values: Mutex<HashMap<BindingId, String>>,
+    values: Mutex<HashMap<BindingId, MemoryEntry>>,
 }
 
 impl MemorySecretStore {
     pub fn new() -> Self {
         Self::default()
     }
+
+    /// Mark an entry as redacted — `get_read` will return
+    /// [`SecretRead::Redacted`] and the legacy `get` will return
+    /// `Some(REDACTED_PLACEHOLDER)`. Test-only: mirrors what a
+    /// real [`ReadOnlyEncryptedFileSecretStore`] does without
+    /// requiring the test to spin up a filesystem-backed store.
+    pub fn mark_redacted(&self, id: &BindingId) -> Result<()> {
+        self.values
+            .lock()
+            .map_err(|_| AdapterError::Storage("secret store mutex poisoned".to_string()))?
+            .insert(id.clone(), MemoryEntry::Redacted);
+        Ok(())
+    }
 }
 
 impl SecretStore for MemorySecretStore {
@@ -267,7 +388,7 @@ impl SecretStore for MemorySecretStore {
         self.values
             .lock()
             .map_err(|_| AdapterError::Storage("secret store mutex poisoned".to_string()))?
-            .insert(id.clone(), secret.to_string());
+            .insert(id.clone(), MemoryEntry::Material(secret.to_string()));
         Ok(())
     }
 
@@ -277,7 +398,10 @@ impl SecretStore for MemorySecretStore {
             .lock()
             .map_err(|_| AdapterError::Storage("secret store mutex poisoned".to_string()))?
             .get(id)
-            .cloned())
+            .map(|entry| match entry {
+                MemoryEntry::Material(value) => value.clone(),
+                MemoryEntry::Redacted => REDACTED_PLACEHOLDER.to_string(),
+            }))
     }
 
     fn delete(&self, id: &BindingId) -> Result<bool> {
@@ -288,6 +412,21 @@ impl SecretStore for MemorySecretStore {
             .remove(id)
             .is_some())
     }
+
+    fn get_read(&self, id: &BindingId) -> Result<SecretRead> {
+        // Stored `Material("<redacted>")` round-trips as Present, not
+        // Redacted — the typed API is collision-free by construction.
+        // Only explicit `mark_redacted` surfaces `SecretRead::Redacted`.
+        Ok(self
+            .values
+            .lock()
+            .map_err(|_| AdapterError::Storage("secret store mutex poisoned".to_string()))?
+            .get(id)
+            .map_or(SecretRead::Absent, |entry| match entry {
+                MemoryEntry::Material(value) => SecretRead::Present(value.clone()),
+                MemoryEntry::Redacted => SecretRead::Redacted,
+            }))
+    }
 }
 
 fn hash_id(id: &BindingId) -> String {
@@ -363,6 +502,76 @@ mod tests {
         assert_eq!(REDACTED_PLACEHOLDER, "<redacted>");
     }
 
+    #[test]
+    fn get_read_on_memory_store_wraps_present() {
+        let store = MemorySecretStore::new();
+        let id = BindingId::new("npm:tm");
+        store.set(&id, "real-token").unwrap();
+        match store.get_read(&id).unwrap() {
+            SecretRead::Present(value) => assert_eq!(value, "real-token"),
+            other => panic!("expected Present, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn get_read_on_memory_store_wraps_absent() {
+        let store = MemorySecretStore::new();
+        let id = BindingId::new("npm:missing");
+        assert_eq!(store.get_read(&id).unwrap(), SecretRead::Absent);
+    }
+
+    #[test]
+    fn get_read_on_memory_store_returns_present_even_for_sentinel_bytes() {
+        // A secret that literally equals "<redacted>" must not be
+        // misclassified as Redacted — that's the whole point of the
+        // typed API.
+        let store = MemorySecretStore::new();
+        let id = BindingId::new("npm:collision");
+        store.set(&id, REDACTED_PLACEHOLDER).unwrap();
+        match store.get_read(&id).unwrap() {
+            SecretRead::Present(value) => assert_eq!(value, REDACTED_PLACEHOLDER),
+            other => panic!("expected Present(<redacted>), got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn get_read_on_read_only_store_returns_redacted_for_existing_entry() {
+        let dir = tempfile::tempdir().expect("temp dir");
+        let secrets_dir = dir.path().join("secrets");
+        fs::create_dir_all(&secrets_dir).expect("mkdir");
+
+        let store = ReadOnlyEncryptedFileSecretStore {
+            dir: secrets_dir.clone(),
+        };
+        let id = BindingId::new("npm:ro-collision");
+        fs::write(store.path_for(&id), b"ignored-ciphertext").unwrap();
+
+        assert_eq!(store.get_read(&id).unwrap(), SecretRead::Redacted);
+    }
+
+    #[test]
+    fn get_read_on_read_only_store_returns_absent_when_no_entry() {
+        let dir = tempfile::tempdir().expect("temp dir");
+        let store = ReadOnlyEncryptedFileSecretStore {
+            dir: dir.path().join("secrets"),
+        };
+        let id = BindingId::new("npm:missing");
+        assert_eq!(store.get_read(&id).unwrap(), SecretRead::Absent);
+    }
+
+    #[test]
+    fn secret_read_helpers() {
+        assert!(SecretRead::Present("t".into()).is_present());
+        assert!(SecretRead::Redacted.is_redacted());
+        assert!(SecretRead::Absent.is_absent());
+        assert_eq!(
+            SecretRead::Present("t".into()).into_present(),
+            Some("t".into())
+        );
+        assert_eq!(SecretRead::Redacted.into_present(), None);
+        assert_eq!(SecretRead::Absent.into_present(), None);
+    }
+
     #[test]
     fn read_only_store_returns_redacted_for_existing_secret() {
         let dir = tempfile::tempdir().expect("temp dir");
diff --git a/crates/enclaveapp-app-storage/src/encryption.rs b/crates/enclaveapp-app-storage/src/encryption.rs
index 67513cf..bd874f2 100644
--- a/crates/enclaveapp-app-storage/src/encryption.rs
+++ b/crates/enclaveapp-app-storage/src/encryption.rs
@@ -259,6 +259,24 @@ impl AppEncryptionStorage {
         expected_policy: AccessPolicy,
     ) -> Result<()> {
         if encryptor.public_key(&config.key_label).is_ok() {
+            // Key exists — verify the `.meta.hmac` sidecar first when a
+            // per-app meta-HMAC key is available in the system keyring
+            // (Linux / keyring backend only). A HMAC mismatch is a hard
+            // failure: someone rewrote `.meta` after save, so we don't
+            // trust any stored policy and refuse to proceed.
+            #[cfg(target_os = "linux")]
+            if let Some(hmac_key) = enclaveapp_keyring::meta_hmac_key(&config.app_name) {
+                if let Err(e) =
+                    metadata::load_meta_with_hmac(keys_dir, &config.key_label, hmac_key.as_slice())
+                {
+                    let msg = e.to_string();
+                    if msg.contains("meta_hmac_verify") {
+                        return Err(StorageError::KeyInitFailed(msg));
+                    }
+                    // Non-HMAC errors (missing file, deserialize, etc.)
+                    // fall through to the legacy handling below.
+                }
+            }
             // Key exists — check policy match.
             if let Ok(meta) = metadata::load_meta(keys_dir, &config.key_label) {
                 if meta.access_policy != expected_policy {
diff --git a/crates/enclaveapp-apple/build.rs b/crates/enclaveapp-apple/build.rs
index 03c7334..393e46a 100644
--- a/crates/enclaveapp-apple/build.rs
+++ b/crates/enclaveapp-apple/build.rs
@@ -17,6 +17,40 @@ use std::env;
 use std::path::PathBuf;
 use std::process::Command;
 
+/// Absolute path to the system `xcrun` tool.
+///
+/// `xcrun` is part of Xcode Command Line Tools and lives at
+/// `/usr/bin/xcrun` on all macOS installations. Invoking it by
+/// absolute path (rather than bare `xcrun`, which walks `$PATH`)
+/// removes a PATH-hijack vector from the build-machine trust
+/// boundary — a shadowed `xcrun` earlier on `$PATH` can no longer
+/// substitute a poisoned swiftc / ar into the static bridge object
+/// that ends up linked into the binary. See
+/// libenclaveapp/THREAT_MODEL.md "Build-time trust".
+const XCRUN: &str = "/usr/bin/xcrun";
+
+/// Resolve a toolchain tool by asking `xcrun --find`. The returned
+/// absolute path bypasses `$PATH` and points at the tool inside the
+/// active Xcode developer directory (`xcode-select -p`), which is a
+/// system-managed path.
+fn xcrun_find(tool: &str) -> PathBuf {
+    let output = Command::new(XCRUN)
+        .args(["--find", tool])
+        .output()
+        .unwrap_or_else(|e| panic!("failed to run {XCRUN} --find {tool}: {e}"));
+    if !output.status.success() {
+        panic!(
+            "xcrun --find {tool} failed: {}",
+            String::from_utf8_lossy(&output.stderr)
+        );
+    }
+    let path = String::from_utf8(output.stdout)
+        .unwrap_or_else(|e| panic!("invalid xcrun output for {tool}: {e}"))
+        .trim()
+        .to_string();
+    PathBuf::from(path)
+}
+
 fn main() {
     // Only build Swift bridge on macOS
     if env::var("CARGO_CFG_TARGET_OS").unwrap_or_default() != "macos" {
@@ -34,19 +68,24 @@ fn main() {
         _ => "arm64-apple-macos14.0",
     };
 
-    // Find the macOS SDK path
-    let sdk_output = Command::new("xcrun")
+    // Resolve all toolchain executables via the absolute `/usr/bin/xcrun`
+    // rather than walking `$PATH`. The resolved `swiftc` and `ar` land
+    // inside the active Xcode developer directory.
+    let sdk_output = Command::new(XCRUN)
         .args(["--show-sdk-path", "--sdk", "macosx"])
         .output()
-        .unwrap_or_else(|e| panic!("failed to run xcrun: {e}"));
+        .unwrap_or_else(|e| panic!("failed to run {XCRUN} --show-sdk-path: {e}"));
     let sdk_path = String::from_utf8(sdk_output.stdout)
         .unwrap_or_else(|e| panic!("invalid xcrun output: {e}"))
         .trim()
         .to_string();
 
+    let swiftc = xcrun_find("swiftc");
+    let ar = xcrun_find("ar");
+
     // Compile Swift to object file
     let obj_path = out_dir.join("enclaveapp_se_bridge.o");
-    let status = Command::new("swiftc")
+    let status = Command::new(&swiftc)
         .args([
             "-emit-object",
             "-target",
@@ -60,19 +99,19 @@ fn main() {
         .arg(&obj_path)
         .arg(swift_src)
         .status()
-        .unwrap_or_else(|e| panic!("failed to run swiftc: {e}"));
+        .unwrap_or_else(|e| panic!("failed to run {}: {e}", swiftc.display()));
 
     if !status.success() {
         panic!("swiftc compilation failed");
     }
 
     // Create static library from object file
-    let status = Command::new("ar")
+    let status = Command::new(&ar)
         .args(["rcs"])
         .arg(&lib_path)
         .arg(&obj_path)
         .status()
-        .unwrap_or_else(|e| panic!("failed to run ar: {e}"));
+        .unwrap_or_else(|e| panic!("failed to run {}: {e}", ar.display()));
 
     if !status.success() {
         panic!("ar failed to create static library");
@@ -81,21 +120,16 @@ fn main() {
     // Find the Swift runtime library path for linking
     let swift_lib_dir = format!("{sdk_path}/usr/lib/swift");
 
-    // Also need the toolchain's swift lib dir for the runtime
-    let toolchain_output = Command::new("xcrun")
-        .args(["--find", "swiftc"])
-        .output()
-        .unwrap_or_else(|e| panic!("failed to find swiftc: {e}"));
-    let swiftc_path = String::from_utf8(toolchain_output.stdout)
-        .unwrap_or_else(|e| panic!("invalid xcrun output for swiftc path: {e}"))
-        .trim()
-        .to_string();
-    let swiftc_pb = PathBuf::from(&swiftc_path);
-    let toolchain_lib = swiftc_pb
+    // Toolchain's swift lib dir — derived from the resolved swiftc path,
+    // which is itself a sibling of the toolchain's `lib/swift/macosx`.
+    let toolchain_lib = swiftc
         .parent()
         .and_then(|p| p.parent())
         .unwrap_or_else(|| {
-            panic!("unexpected swiftc path structure (expected .../bin/swiftc): {swiftc_path}")
+            panic!(
+                "unexpected swiftc path structure (expected .../bin/swiftc): {}",
+                swiftc.display()
+            )
         })
         .join("lib")
         .join("swift")
diff --git a/crates/enclaveapp-apple/src/keychain.rs b/crates/enclaveapp-apple/src/keychain.rs
index 5a222f3..7cc17da 100644
--- a/crates/enclaveapp-apple/src/keychain.rs
+++ b/crates/enclaveapp-apple/src/keychain.rs
@@ -89,11 +89,25 @@ fn generate_key_with_retry<F>(mut generate_ffi: F) -> Result<(Vec<u8>, Vec<u8>)>
 where
     F: FnMut(*mut u8, *mut i32, *mut u8, *mut i32) -> i32,
 {
+    /// Hard cap on resize retries. `SE_ERR_BUFFER_TOO_SMALL` is only
+    /// ever legitimately raised by a genuine buffer-sizing shortfall,
+    /// which converges in one retry with the Swift-reported length.
+    /// Capping at 4 keeps a Swift-side contract bug (e.g. the FFI
+    /// starts returning `SE_ERR_BUFFER_TOO_SMALL` for some other
+    /// condition) from spinning forever; we surface it as a hard
+    /// error the developer can see.
+    const MAX_RESIZE_RETRIES: usize = 4;
+    /// Uncompressed P-256 public key is always 65 bytes. We allocate
+    /// exactly that size and never grow it. If the FFI reports
+    /// `pub_key_len > 65`, something violated the contract — surface
+    /// it explicitly rather than blindly resizing.
+    const UNCOMPRESSED_P256_PUBKEY_LEN: usize = 65;
+
     let mut data_rep_capacity = 1024_usize;
 
-    loop {
-        let mut pub_key = vec![0_u8; 65];
-        let mut pub_key_len: i32 = 65;
+    for _ in 0..MAX_RESIZE_RETRIES {
+        let mut pub_key = vec![0_u8; UNCOMPRESSED_P256_PUBKEY_LEN];
+        let mut pub_key_len: i32 = UNCOMPRESSED_P256_PUBKEY_LEN as i32;
         let mut data_rep = vec![0_u8; data_rep_capacity];
         let mut data_rep_len: i32 = data_rep_capacity as i32;
 
@@ -104,11 +118,25 @@ where
             &mut data_rep_len,
         );
 
-        if rc == SE_ERR_BUFFER_TOO_SMALL
-            && usize::try_from(data_rep_len).ok() > Some(data_rep_capacity)
-        {
-            data_rep_capacity = data_rep_len as usize;
-            continue;
+        if rc == SE_ERR_BUFFER_TOO_SMALL {
+            // Swift's contract for this code: `*_len.pointee` now
+            // holds the required size. Honor it only if it's
+            // strictly greater than what we sent — otherwise the
+            // return code is being used for something other than
+            // "need more buffer space," which is a contract
+            // violation we refuse to paper over with a retry.
+            let returned = usize::try_from(data_rep_len).unwrap_or(0);
+            if returned > data_rep_capacity {
+                data_rep_capacity = returned;
+                continue;
+            }
+            return Err(Error::GenerateFailed {
+                detail: format!(
+                    "FFI reported SE_ERR_BUFFER_TOO_SMALL but did not grow data_rep_len \
+                     (sent {data_rep_capacity} bytes, got back {returned}) — \
+                     Swift bridge contract violation"
+                ),
+            });
         }
 
         if rc != 0 {
@@ -117,10 +145,29 @@ where
             });
         }
 
-        pub_key.truncate(pub_key_len as usize);
-        data_rep.truncate(data_rep_len as usize);
+        // Contract sanity: pub_key buffer is fixed at 65 bytes.
+        let pub_key_len_usize = usize::try_from(pub_key_len).unwrap_or(0);
+        if pub_key_len_usize > UNCOMPRESSED_P256_PUBKEY_LEN {
+            return Err(Error::GenerateFailed {
+                detail: format!(
+                    "FFI reported pub_key_len = {pub_key_len_usize} but the buffer is \
+                     fixed at {UNCOMPRESSED_P256_PUBKEY_LEN} bytes — Swift bridge contract violation"
+                ),
+            });
+        }
+
+        pub_key.truncate(pub_key_len_usize);
+        let data_rep_len_usize = usize::try_from(data_rep_len).unwrap_or(0);
+        data_rep.truncate(data_rep_len_usize);
         return Ok((pub_key, data_rep));
     }
+
+    Err(Error::GenerateFailed {
+        detail: format!(
+            "Swift bridge repeatedly returned SE_ERR_BUFFER_TOO_SMALL after {MAX_RESIZE_RETRIES} \
+             retries — contract violation"
+        ),
+    })
 }
 
 /// Generate a Secure Enclave key and persist its local metadata atomically.
diff --git a/crates/enclaveapp-apple/src/keychain_wrap.rs b/crates/enclaveapp-apple/src/keychain_wrap.rs
index 23d1246..38e2157 100644
--- a/crates/enclaveapp-apple/src/keychain_wrap.rs
+++ b/crates/enclaveapp-apple/src/keychain_wrap.rs
@@ -157,7 +157,7 @@ pub fn decrypt_blob(wrapping_key: &[u8; WRAP_KEY_LEN], blob: &[u8]) -> Result<Ve
 /// given app. The account is the key `<label>` so every key gets its own
 /// wrapping-key entry.
 pub fn service_name_for(app_name: &str) -> String {
-    format!("com.enclaveapp.{app_name}")
+    format!("com.libenclaveapp.{app_name}")
 }
 
 /// Store a wrapping key in the login keychain. Replaces any existing
@@ -268,7 +268,12 @@ pub fn keychain_delete(app_name: &str, label: &str) -> Result<()> {
             account_bytes.len() as i32,
         )
     };
-    if rc == 0 {
+    // 12 = SE_ERR_KEYCHAIN_NOT_FOUND, which the Swift side now also
+    // returns when no default keychain is reachable. `keychain_delete`
+    // is idempotent — treat both "entry already absent" and "no
+    // keychain to look in" as success so uninstall / cleanup don't
+    // error out in isolated `$HOME` contexts.
+    if rc == 0 || rc == 12 {
         Ok(())
     } else {
         Err(Error::KeyOperation {
@@ -462,8 +467,8 @@ mod tests {
 
     #[test]
     fn service_name_matches_expected_format() {
-        assert_eq!(service_name_for("sshenc"), "com.enclaveapp.sshenc");
-        assert_eq!(service_name_for("awsenc"), "com.enclaveapp.awsenc");
+        assert_eq!(service_name_for("sshenc"), "com.libenclaveapp.sshenc");
+        assert_eq!(service_name_for("awsenc"), "com.libenclaveapp.awsenc");
     }
 
     // ───── Real-keychain integration tests (macOS only) ─────
diff --git a/crates/enclaveapp-apple/swift/bridge.swift b/crates/enclaveapp-apple/swift/bridge.swift
index 32c8f5b..3b29def 100644
--- a/crates/enclaveapp-apple/swift/bridge.swift
+++ b/crates/enclaveapp-apple/swift/bridge.swift
@@ -25,6 +25,13 @@ let SE_OK: Int32 = 0
 let SE_ERR_GENERATE: Int32 = 1
 let SE_ERR_LOAD: Int32 = 2
 let SE_ERR_SIGN: Int32 = 3
+/// Returned **only** when a caller-supplied out-buffer is too small to
+/// hold the result. The caller is expected to resize per the
+/// `*_len.pointee` out-value and retry. It is a **contract error** to
+/// use this code for any other failure mode — the Rust side loops on
+/// it (expanding the buffer) and a misuse would turn a real error into
+/// a retry storm. See `keychain.rs::generate_signing_with_retry` for
+/// the retry discipline on the consumer side.
 let SE_ERR_BUFFER_TOO_SMALL: Int32 = 4
 let SE_ERR_NOT_AVAILABLE: Int32 = 5
 let SE_ERR_ENCRYPT: Int32 = 6
@@ -413,6 +420,51 @@ public func enclaveapp_se_decrypt(
 // the device must be unlocked to read them, and they do NOT sync via
 // iCloud / migrate across devices.
 
+/// Open the invoking user's login keychain by explicit path.
+///
+/// Security.framework's default-keychain lookup goes through
+/// `CFPreferences`, which is keyed off the process's `$HOME`. A
+/// caller that overrides `$HOME` (integration tests via `assert_cmd`,
+/// `awsenc serve` invoked by the AWS CLI under a launchd sandbox,
+/// cron, etc.) gets `errSecNoDefaultKeychain` back, at which point
+/// `SecItemAdd` falls into a system-modal
+/// "A keychain cannot be found to store '<account>'" alert.
+///
+/// We bypass that entirely: `getpwuid(getuid())` returns the real
+/// user's home directory from the password database regardless of
+/// `$HOME`, and `SecKeychainOpen` on
+/// `~/Library/Keychains/login.keychain-db` produces a handle that
+/// subsequent `SecItemAdd` / `SecItemCopyMatching` / `SecItemDelete`
+/// calls use via `kSecUseKeychain` / `kSecMatchSearchList`. The
+/// first-run "Always Allow" ACL prompt (a SecTrust decision driven
+/// by the item op itself, not by default-keychain lookup) still
+/// fires normally — unsigned-build UX is preserved.
+///
+/// `SecKeychainOpen` is deprecated alongside `SecKeychain` but is
+/// still the only API that reaches the legacy file-based keychain;
+/// the modern Data Protection keychain is unavailable on unsigned
+/// builds (see the top-of-module comment).
+private func openLoginKeychain() -> SecKeychain? {
+    guard let pw = getpwuid(getuid()) else {
+        return nil
+    }
+    let home = String(cString: pw.pointee.pw_dir)
+    // Modern macOS stores the login keychain as `.keychain-db`; older
+    // installs may still have `.keychain`. Try both so migrated
+    // systems aren't broken.
+    let candidates = [
+        "\(home)/Library/Keychains/login.keychain-db",
+        "\(home)/Library/Keychains/login.keychain",
+    ]
+    for path in candidates {
+        var kc: SecKeychain?
+        if SecKeychainOpen(path, &kc) == errSecSuccess, kc != nil {
+            return kc
+        }
+    }
+    return nil
+}
+
 private func makeServiceData(_ service: UnsafePointer<UInt8>, _ len: Int32) -> Data {
     return Data(bytes: service, count: Int(len))
 }
@@ -436,6 +488,9 @@ public func enclaveapp_keychain_store(
     _ account: UnsafePointer<UInt8>, _ account_len: Int32,
     _ secret: UnsafePointer<UInt8>, _ secret_len: Int32
 ) -> Int32 {
+    guard let kc = openLoginKeychain() else {
+        return SE_ERR_KEYCHAIN_NOT_FOUND
+    }
     guard let serviceStr = makeServiceString(service, service_len) else {
         return SE_ERR_KEYCHAIN_STORE
     }
@@ -444,11 +499,14 @@ public func enclaveapp_keychain_store(
     }
     let secretData = Data(bytes: secret, count: Int(secret_len))
 
-    // Delete any existing entry first.
+    // Delete any existing entry first. Constrain the search to the
+    // explicitly-opened login keychain so `HOME` overrides don't
+    // leak into default-keychain lookup.
     let deleteQuery: [String: Any] = [
         kSecClass as String: kSecClassGenericPassword,
         kSecAttrService as String: serviceStr,
         kSecAttrAccount as String: accountStr,
+        kSecMatchSearchList as String: [kc],
     ]
     _ = SecItemDelete(deleteQuery as CFDictionary)
 
@@ -458,6 +516,7 @@ public func enclaveapp_keychain_store(
         kSecAttrAccount as String: accountStr,
         kSecValueData as String: secretData,
         kSecAttrAccessible as String: kSecAttrAccessibleWhenUnlockedThisDeviceOnly,
+        kSecUseKeychain as String: kc,
     ]
     let status = SecItemAdd(addQuery as CFDictionary, nil)
     return status == errSecSuccess ? SE_OK : SE_ERR_KEYCHAIN_STORE
@@ -471,6 +530,9 @@ public func enclaveapp_keychain_load(
     _ account: UnsafePointer<UInt8>, _ account_len: Int32,
     _ secret_out: UnsafeMutablePointer<UInt8>, _ secret_len: UnsafeMutablePointer<Int32>
 ) -> Int32 {
+    guard let kc = openLoginKeychain() else {
+        return SE_ERR_KEYCHAIN_NOT_FOUND
+    }
     guard let serviceStr = makeServiceString(service, service_len) else {
         return SE_ERR_KEYCHAIN_LOAD
     }
@@ -484,6 +546,7 @@ public func enclaveapp_keychain_load(
         kSecAttrAccount as String: accountStr,
         kSecReturnData as String: true,
         kSecMatchLimit as String: kSecMatchLimitOne,
+        kSecMatchSearchList as String: [kc],
     ]
     var item: CFTypeRef?
     let status = SecItemCopyMatching(query as CFDictionary, &item)
@@ -515,6 +578,12 @@ public func enclaveapp_keychain_delete(
     _ service: UnsafePointer<UInt8>, _ service_len: Int32,
     _ account: UnsafePointer<UInt8>, _ account_len: Int32
 ) -> Int32 {
+    guard let kc = openLoginKeychain() else {
+        // Delete is idempotent — report not-found so the Rust
+        // caller treats the entry as already-gone rather than
+        // erroring out.
+        return SE_ERR_KEYCHAIN_NOT_FOUND
+    }
     guard let serviceStr = makeServiceString(service, service_len) else {
         return SE_ERR_KEYCHAIN_DELETE
     }
@@ -525,6 +594,7 @@ public func enclaveapp_keychain_delete(
         kSecClass as String: kSecClassGenericPassword,
         kSecAttrService as String: serviceStr,
         kSecAttrAccount as String: accountStr,
+        kSecMatchSearchList as String: [kc],
     ]
     let status = SecItemDelete(query as CFDictionary)
     if status == errSecSuccess || status == errSecItemNotFound {
diff --git a/crates/enclaveapp-bridge/src/client.rs b/crates/enclaveapp-bridge/src/client.rs
index cead3aa..02eca1e 100644
--- a/crates/enclaveapp-bridge/src/client.rs
+++ b/crates/enclaveapp-bridge/src/client.rs
@@ -10,6 +10,7 @@ use enclaveapp_core::{AccessPolicy, Result};
 use std::io::Write;
 use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
+use std::sync::Mutex;
 use std::time::Duration;
 
 /// Maximum response size from the bridge (64 KB).
@@ -48,9 +49,14 @@ fn bridge_request_timeout() -> Duration {
 /// Only fixed admin-path install locations are included in the auto-discovery
 /// fallback. PATH-based lookup via `which` was removed intentionally — a
 /// user-writable `$PATH` entry on the WSL side could substitute a malicious
-/// bridge binary, and this library performs no Authenticode verification
-/// on the resolved executable. Users who install to non-admin paths (scoop,
-/// a manual build) must set `ENCLAVEAPP_BRIDGE_PATH` explicitly.
+/// bridge binary. Users who install to non-admin paths (scoop, a manual
+/// build) must set `ENCLAVEAPP_BRIDGE_PATH` explicitly.
+///
+/// The resolved executable is additionally gated by
+/// [`require_bridge_is_authenticode_signed`] at spawn time — a replaced
+/// binary with no Authenticode signature is refused even if it landed at
+/// a trusted path. That check can be opted out of for dev / CI builds via
+/// `ENCLAVEAPP_BRIDGE_ALLOW_UNSIGNED=1`.
 #[allow(clippy::print_stderr)] // user-facing warning for misconfigured env var
 pub fn find_bridge(app_name: &str) -> Option<PathBuf> {
     // 1. Explicit env var override (app-specific, then generic).
@@ -87,6 +93,121 @@ pub fn find_bridge(app_name: &str) -> Option<PathBuf> {
         .map(|(path, _)| path)
 }
 
+/// Env var to opt out of the Authenticode-signature check on the bridge
+/// binary. Intended for dev / CI builds; production installs ship signed
+/// bridges and should leave this unset.
+const ALLOW_UNSIGNED_ENV: &str = "ENCLAVEAPP_BRIDGE_ALLOW_UNSIGNED";
+
+/// Refuse to spawn a bridge binary that lacks an Authenticode signature
+/// block.
+///
+/// Parses the PE header's Certificate Table data directory
+/// (`IMAGE_DIRECTORY_ENTRY_SECURITY`, index 4) and rejects the binary if
+/// that directory is absent or zero-sized. This does NOT verify the
+/// signature cryptographically or chase the certificate chain — that
+/// requires `WinVerifyTrust` on Windows, which isn't reachable from the
+/// WSL side without an extra helper process. What it does catch is the
+/// concrete attack in the threat model: an attacker who replaces the
+/// bridge binary with one they compiled themselves (e.g. ad-hoc `cargo
+/// build` output that ships no signature at all). Admin-held replacement
+/// with a validly-signed-but-malicious binary is out of scope and
+/// acknowledged as such in the threat model.
+///
+/// Opt-out: set `ENCLAVEAPP_BRIDGE_ALLOW_UNSIGNED=1`.
+pub fn require_bridge_is_authenticode_signed(bridge_path: &Path) -> Result<()> {
+    if std::env::var_os(ALLOW_UNSIGNED_ENV).is_some() {
+        return Ok(());
+    }
+    // Only PE binaries have Authenticode. Anything that's not `.exe`
+    // (test shell scripts, developer wrappers) bypasses this check —
+    // the real WSL bridge is always `*.exe`.
+    let is_exe = bridge_path
+        .extension()
+        .and_then(|e| e.to_str())
+        .is_some_and(|e| e.eq_ignore_ascii_case("exe"));
+    if !is_exe {
+        return Ok(());
+    }
+    match pe_has_authenticode_table(bridge_path) {
+        Ok(true) => Ok(()),
+        Ok(false) => Err(enclaveapp_core::Error::KeyOperation {
+            operation: "bridge_verify".into(),
+            detail: format!(
+                "bridge binary at {} has no Authenticode signature; refusing to spawn. \
+                 Reinstall from a signed release or set {ALLOW_UNSIGNED_ENV}=1 to bypass.",
+                bridge_path.display()
+            ),
+        }),
+        Err(detail) => Err(enclaveapp_core::Error::KeyOperation {
+            operation: "bridge_verify".into(),
+            detail,
+        }),
+    }
+}
+
+/// Inspect a PE file's optional-header data-directory table and return
+/// whether the `IMAGE_DIRECTORY_ENTRY_SECURITY` (index 4) slot points to
+/// a non-empty certificate table.
+///
+/// Layout references:
+/// - DOS header: 64 bytes, with `e_lfanew: u32` at offset 0x3C
+///   pointing to the NT header.
+/// - NT signature: "PE\0\0" (4 bytes).
+/// - COFF file header: 20 bytes; `machine` at offset 0.
+/// - Optional header: starts immediately after COFF. First 2 bytes are
+///   the magic (PE32 = 0x10b, PE32+ = 0x20b) which determines whether
+///   the data directory table starts at offset 96 (PE32) or 112 (PE32+).
+/// - Data directory `IMAGE_DIRECTORY_ENTRY_SECURITY` is slot 4:
+///   `virtual_address: u32, size: u32` — size > 0 means the binary
+///   has an Authenticode cert table appended.
+fn pe_has_authenticode_table(path: &Path) -> std::result::Result<bool, String> {
+    let data = std::fs::read(path).map_err(|e| format!("read {}: {e}", path.display()))?;
+    if data.len() < 0x40 {
+        return Err("file too small for DOS header".into());
+    }
+    if &data[0..2] != b"MZ" {
+        return Err("not a PE image (missing MZ magic)".into());
+    }
+    let e_lfanew = u32::from_le_bytes(
+        data[0x3C..0x40]
+            .try_into()
+            .map_err(|_| "bad e_lfanew slice".to_string())?,
+    ) as usize;
+    if data.len() < e_lfanew + 0x18 {
+        return Err("file too small for NT header".into());
+    }
+    if &data[e_lfanew..e_lfanew + 4] != b"PE\0\0" {
+        return Err("not a PE image (missing PE signature)".into());
+    }
+    let coff_start = e_lfanew + 4;
+    let opt_header_start = coff_start + 20;
+    if data.len() < opt_header_start + 2 {
+        return Err("file too small for optional header magic".into());
+    }
+    let magic = u16::from_le_bytes(
+        data[opt_header_start..opt_header_start + 2]
+            .try_into()
+            .map_err(|_| "bad optional-header magic slice".to_string())?,
+    );
+    // Offset within the optional header to DataDirectory[0].
+    let data_dir_offset = match magic {
+        0x10b => 96,  // PE32
+        0x20b => 112, // PE32+
+        _ => return Err(format!("unknown PE optional-header magic 0x{magic:x}")),
+    };
+    // Each DataDirectory is 8 bytes; SECURITY is index 4.
+    let security_dir = opt_header_start + data_dir_offset + 4 * 8;
+    if data.len() < security_dir + 8 {
+        return Err("file too small for data directory table".into());
+    }
+    let size = u32::from_le_bytes(
+        data[security_dir + 4..security_dir + 8]
+            .try_into()
+            .map_err(|_| "bad security dir size slice".to_string())?,
+    );
+    Ok(size > 0)
+}
+
 struct BridgeSession {
     child: std::process::Child,
     reader: LineReaderWithTimeout,
@@ -96,6 +217,7 @@ struct BridgeSession {
 
 impl BridgeSession {
     fn spawn(bridge_path: &Path) -> Result<Self> {
+        require_bridge_is_authenticode_signed(bridge_path)?;
         let mut child = Command::new(bridge_path)
             .stdin(Stdio::piped())
             .stdout(Stdio::piped())
@@ -221,8 +343,42 @@ fn finish_session<T>(session: BridgeSession, result: Result<T>) -> Result<T> {
     }
 }
 
+/// Process-wide serialization around bridge sessions.
+///
+/// The WSL→Windows bridge is a JSON-RPC child process. Two threads in
+/// the same client process that simultaneously spawn independent
+/// sessions would: (a) race Windows Hello prompts against each other
+/// so the user sees two back-to-back biometric dialogs, (b) contend
+/// for the same TPM key slot on the server side, and (c) produce
+/// indistinguishable interleaved stderr if anything goes wrong. The
+/// bridge server itself serializes per-session, but each session
+/// costs a child-process spawn and a biometric prompt — we'd rather
+/// just not do two at once.
+///
+/// This mutex is held for the full lifetime of a single session
+/// (spawn → request(s) → shutdown). It's deliberately unconditional:
+/// the overhead is a single uncontended lock acquisition per call,
+/// and bridge operations are already in the tens-of-ms / TPM-op
+/// range where lock overhead is noise.
+///
+/// A `PoisonError` from a prior panicked session is recovered with
+/// `into_inner()` — the next session starts fresh, and panics in
+/// one session's child/pipe handling should not wedge the whole
+/// client for the process's lifetime.
+static BRIDGE_SESSION_LOCK: Mutex<()> = Mutex::new(());
+
+/// Acquire the process-wide bridge-session lock, transparently
+/// recovering from poisoning.
+fn bridge_session_lock() -> std::sync::MutexGuard<'static, ()> {
+    match BRIDGE_SESSION_LOCK.lock() {
+        Ok(guard) => guard,
+        Err(poison) => poison.into_inner(),
+    }
+}
+
 /// Call the bridge with a request and return the response.
 pub fn call_bridge(bridge_path: &Path, request: &BridgeRequest) -> Result<BridgeResponse> {
+    let _guard = bridge_session_lock();
     let mut session = BridgeSession::spawn(bridge_path)?;
     let response = session.request(request);
     finish_session(session, response)
@@ -247,6 +403,7 @@ fn call_bridge_after_init(
     access_policy: AccessPolicy,
     request: &BridgeRequest,
 ) -> Result<BridgeResponse> {
+    let _guard = bridge_session_lock();
     let mut session = BridgeSession::spawn(bridge_path)?;
     let response = (|| -> Result<BridgeResponse> {
         session
@@ -363,6 +520,7 @@ fn call_bridge_after_signing_init(
     access_policy: AccessPolicy,
     request: &BridgeRequest,
 ) -> Result<BridgeResponse> {
+    let _guard = bridge_session_lock();
     let mut session = BridgeSession::spawn(bridge_path)?;
     let response = (|| -> Result<BridgeResponse> {
         session
@@ -545,6 +703,165 @@ mod tests {
         assert!(result.is_none());
     }
 
+    // ---- Authenticode / PE signature check -----------------------------
+
+    #[cfg(unix)]
+    fn make_pe_bytes(security_size: u32, magic: u16) -> Vec<u8> {
+        // DOS header (64 bytes) + NT sig (4) + COFF (20) + optional header
+        // + data directories.
+        //
+        // Optional header size varies by magic (PE32 vs PE32+).
+        let opt_header_size: usize = if magic == 0x10b {
+            96 + 16 * 8
+        } else {
+            112 + 16 * 8
+        };
+        let total = 0x40 + 4 + 20 + opt_header_size;
+        let mut buf = vec![0_u8; total];
+        // "MZ"
+        buf[0] = b'M';
+        buf[1] = b'Z';
+        // e_lfanew → NT headers start at offset 0x40.
+        buf[0x3C..0x40].copy_from_slice(&0x40_u32.to_le_bytes());
+        // "PE\0\0"
+        buf[0x40] = b'P';
+        buf[0x41] = b'E';
+        // COFF at 0x44 is all zeros (acceptable for the check).
+        // Optional header starts at 0x40 + 4 + 20 = 0x58.
+        let opt_header_start = 0x58;
+        buf[opt_header_start..opt_header_start + 2].copy_from_slice(&magic.to_le_bytes());
+        // Data directory offset within the optional header.
+        let data_dir_offset = if magic == 0x10b { 96 } else { 112 };
+        // Security directory is index 4: 8 bytes per entry, skip 4.
+        let security_dir = opt_header_start + data_dir_offset + 4 * 8;
+        // VirtualAddress (unused by the check).
+        buf[security_dir..security_dir + 4].copy_from_slice(&0_u32.to_le_bytes());
+        // Size — this is what we check.
+        buf[security_dir + 4..security_dir + 8].copy_from_slice(&security_size.to_le_bytes());
+        buf
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn pe_has_authenticode_table_detects_signed_pe32() {
+        let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
+        let bytes = make_pe_bytes(1024, 0x10b);
+        let path = std::env::temp_dir().join(format!(
+            "enclaveapp-pe-signed-{}-{}.exe",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::write(&path, &bytes).unwrap();
+        assert!(pe_has_authenticode_table(&path).unwrap());
+        drop(fs::remove_file(&path));
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn pe_has_authenticode_table_detects_signed_pe32plus() {
+        let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
+        let bytes = make_pe_bytes(4096, 0x20b);
+        let path = std::env::temp_dir().join(format!(
+            "enclaveapp-pe-signed64-{}-{}.exe",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::write(&path, &bytes).unwrap();
+        assert!(pe_has_authenticode_table(&path).unwrap());
+        drop(fs::remove_file(&path));
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn pe_has_authenticode_table_detects_unsigned() {
+        let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
+        let bytes = make_pe_bytes(0, 0x10b);
+        let path = std::env::temp_dir().join(format!(
+            "enclaveapp-pe-unsigned-{}-{}.exe",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::write(&path, &bytes).unwrap();
+        assert!(!pe_has_authenticode_table(&path).unwrap());
+        drop(fs::remove_file(&path));
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn pe_has_authenticode_table_rejects_non_pe() {
+        let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
+        let path = std::env::temp_dir().join(format!(
+            "enclaveapp-pe-notpe-{}-{}.exe",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        // Write > 64 bytes of arbitrary non-PE content so we clear the
+        // "too small for DOS header" check and actually hit the
+        // "missing MZ magic" branch.
+        let content: Vec<u8> = b"#!/bin/sh\n# not a PE image\nexit 0\n"
+            .iter()
+            .copied()
+            .chain(std::iter::repeat(b'x').take(128))
+            .collect();
+        fs::write(&path, &content).unwrap();
+        let err = pe_has_authenticode_table(&path).unwrap_err();
+        assert!(err.contains("MZ"), "expected MZ-missing error, got: {err}");
+        drop(fs::remove_file(&path));
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn require_signed_skips_non_exe_paths() {
+        // Shell scripts (our test-bridge pattern) must pass the gate
+        // unconditionally so existing integration tests keep working.
+        let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
+        let script = temp_script("unsigned-script.sh", "#!/bin/sh\nexit 0\n");
+        require_bridge_is_authenticode_signed(&script).unwrap();
+        cleanup_script(&script);
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn require_signed_rejects_unsigned_exe() {
+        let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
+        // Ensure the opt-out env var isn't set from a previous test.
+        std::env::remove_var(ALLOW_UNSIGNED_ENV);
+        let bytes = make_pe_bytes(0, 0x10b);
+        let path = std::env::temp_dir().join(format!(
+            "enclaveapp-pe-rejected-{}-{}.exe",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::write(&path, &bytes).unwrap();
+        let err = require_bridge_is_authenticode_signed(&path).unwrap_err();
+        assert!(
+            err.to_string().contains("no Authenticode signature"),
+            "got: {err}"
+        );
+        drop(fs::remove_file(&path));
+    }
+
+    #[cfg(unix)]
+    #[test]
+    fn require_signed_honors_allow_unsigned_env() {
+        let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
+        let bytes = make_pe_bytes(0, 0x10b);
+        let path = std::env::temp_dir().join(format!(
+            "enclaveapp-pe-allowed-{}-{}.exe",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::write(&path, &bytes).unwrap();
+        std::env::set_var(ALLOW_UNSIGNED_ENV, "1");
+        let result = require_bridge_is_authenticode_signed(&path);
+        std::env::remove_var(ALLOW_UNSIGNED_ENV);
+        assert!(
+            result.is_ok(),
+            "opt-out env must skip the check: {result:?}"
+        );
+        drop(fs::remove_file(&path));
+    }
+
     #[cfg(unix)]
     #[test]
     fn find_bridge_env_var_override_wins_when_path_exists() {
@@ -781,6 +1098,118 @@ printf '{"result":"","error":null}\n'
         cleanup_script(&script);
     }
 
+    #[cfg(unix)]
+    #[test]
+    fn concurrent_call_bridge_serializes_via_session_lock() {
+        // Two threads calling `call_bridge` against a script that
+        // records the time it took the request to arrive and holds
+        // open stdin for ~150 ms. If the client-side lock actually
+        // serializes, the second call's "arrival" happens AFTER the
+        // first call's "exit". We assert that by checking the
+        // timestamps written to two disjoint sentinel files — their
+        // non-overlapping `started`/`finished` intervals prove
+        // serialization even though both threads raced to start.
+        let _outer = SCRIPT_TEST_MUTEX.lock().unwrap();
+
+        let marker_dir = std::env::temp_dir().join(format!(
+            "enclaveapp-bridge-concurrent-{}-{}",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::create_dir_all(&marker_dir).unwrap();
+        let marker_arg = marker_dir.display().to_string();
+
+        let script_body = r#"#!/bin/sh
+marker_dir="$1"
+pid=$$
+started="$marker_dir/started.$pid"
+finished="$marker_dir/finished.$pid"
+date +%s%N > "$started"
+read request_line
+sleep 0.15
+printf '{"result":"","error":null}\n'
+date +%s%N > "$finished"
+"#;
+        let script = temp_script("concurrent-session.sh", script_body);
+        // Wrap the script so each invocation receives the marker_dir as $1.
+        let wrapper_path = std::env::temp_dir().join(format!(
+            "enclaveapp-bridge-concurrent-wrapper-{}-{}.sh",
+            std::process::id(),
+            SCRIPT_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::write(
+            &wrapper_path,
+            format!("#!/bin/sh\nexec {} {}\n", script.display(), marker_arg),
+        )
+        .unwrap();
+        let mut perms = fs::metadata(&wrapper_path).unwrap().permissions();
+        perms.set_mode(0o755);
+        fs::set_permissions(&wrapper_path, perms).unwrap();
+
+        let wrapper_a = wrapper_path.clone();
+        let wrapper_b = wrapper_path.clone();
+        let handle_a = std::thread::spawn(move || {
+            let req = BridgeRequest {
+                method: "encrypt".to_string(),
+                params: BridgeParams::new(
+                    "aGVsbG8=".into(),
+                    AccessPolicy::None,
+                    "t".into(),
+                    "k".into(),
+                ),
+            };
+            call_bridge(&wrapper_a, &req).unwrap();
+        });
+        let handle_b = std::thread::spawn(move || {
+            // Tiny jitter so the two threads don't both lose to the
+            // fastest-scheduled one before the first spawn.
+            std::thread::sleep(Duration::from_millis(10));
+            let req = BridgeRequest {
+                method: "encrypt".to_string(),
+                params: BridgeParams::new(
+                    "Y2lwaGVy".into(),
+                    AccessPolicy::None,
+                    "t".into(),
+                    "k".into(),
+                ),
+            };
+            call_bridge(&wrapper_b, &req).unwrap();
+        });
+        handle_a.join().unwrap();
+        handle_b.join().unwrap();
+
+        // Read all started/finished timestamps and confirm the two
+        // sessions' intervals do not overlap.
+        let mut started: Vec<u128> = Vec::new();
+        let mut finished: Vec<u128> = Vec::new();
+        for entry in fs::read_dir(&marker_dir).unwrap() {
+            let entry = entry.unwrap();
+            let name = entry.file_name().to_string_lossy().into_owned();
+            let content = fs::read_to_string(entry.path()).unwrap();
+            let ts: u128 = content.trim().parse().unwrap();
+            if name.starts_with("started.") {
+                started.push(ts);
+            } else if name.starts_with("finished.") {
+                finished.push(ts);
+            }
+        }
+        assert_eq!(started.len(), 2, "expected two sessions to have started");
+        assert_eq!(finished.len(), 2, "expected two sessions to have finished");
+        started.sort_unstable();
+        finished.sort_unstable();
+        // First session fully finishes before the second session starts.
+        assert!(
+            finished[0] <= started[1],
+            "sessions overlapped: finished[0]={} started[1]={} — client-side lock did not serialize",
+            finished[0],
+            started[1]
+        );
+
+        drop(fs::remove_dir_all(&marker_dir));
+        cleanup_script(&script);
+        drop(fs::remove_file(&wrapper_path));
+    }
+
     #[cfg(unix)]
     #[test]
     fn bridge_session_drop_kills_child() {
@@ -810,16 +1239,20 @@ printf '{"result":"","error":null}\n'
 
     #[cfg(unix)]
     #[test]
-    fn bridge_init_sends_biometric_compat_field() {
+    fn bridge_init_encodes_access_policy_only() {
+        // The legacy `biometric: bool` compat field has been removed.
+        // Accept the init when `access_policy` is present and reject
+        // if a legacy `biometric` field is observed on the wire — we
+        // must not regress to encoding it.
         let _lock = SCRIPT_TEST_MUTEX.lock().unwrap();
         let script = temp_script(
-            "biometric-compat.sh",
+            "access-policy-only.sh",
             r#"#!/bin/sh
 read request_line
 case "$request_line" in
-  *'"biometric":true'*'"access_policy":"biometric_only"'*) printf '{"result":"","error":null}\n' ;;
-  *'"access_policy":"biometric_only"'*'"biometric":true'*) printf '{"result":"","error":null}\n' ;;
-  *) printf '{"result":null,"error":"missing biometric compat field"}\n' ;;
+  *'"biometric"'*) printf '{"result":null,"error":"legacy biometric field leaked onto wire"}\n' ;;
+  *'"access_policy":"biometric_only"'*) printf '{"result":"","error":null}\n' ;;
+  *) printf '{"result":null,"error":"missing access_policy"}\n' ;;
 esac
 "#,
         );
diff --git a/crates/enclaveapp-bridge/src/protocol.rs b/crates/enclaveapp-bridge/src/protocol.rs
index 2fa6bd5..220e9f2 100644
--- a/crates/enclaveapp-bridge/src/protocol.rs
+++ b/crates/enclaveapp-bridge/src/protocol.rs
@@ -17,6 +17,12 @@ pub struct BridgeRequest {
 }
 
 /// Bridge request parameters.
+///
+/// The legacy `biometric: bool` field from earlier releases has been
+/// removed. `access_policy` is now the only accepted encoding of the
+/// key's access policy on the wire. See THREAT_MODEL.md T5 — the
+/// legacy field opened a silent-downgrade path for a malicious bridge
+/// peer that honored `biometric` and ignored `access_policy`.
 #[derive(Debug, Serialize, Deserialize)]
 pub struct BridgeParams {
     /// Base64-encoded data (plaintext for encrypt, ciphertext for decrypt).
@@ -25,10 +31,6 @@ pub struct BridgeParams {
     /// Access policy to enforce on key use.
     #[serde(default)]
     pub access_policy: AccessPolicy,
-    /// Legacy field kept for backward compatibility with older bridge servers.
-    /// When deserializing, `access_policy` takes precedence over this field.
-    #[serde(default)]
-    biometric: bool,
     /// Application name (determines TPM key name).
     #[serde(default)]
     pub app_name: String,
@@ -38,18 +40,17 @@ pub struct BridgeParams {
 }
 
 impl BridgeParams {
-    /// Resolve the effective access policy considering both new and legacy fields.
+    /// Access policy requested by this message. Kept as a method for
+    /// source-compatibility with the legacy `effective_access_policy()`
+    /// call sites that used to reconcile `access_policy` vs a legacy
+    /// `biometric: bool` flag.
+    #[must_use]
     pub fn effective_access_policy(&self) -> AccessPolicy {
-        if self.access_policy != AccessPolicy::None {
-            self.access_policy
-        } else if self.biometric {
-            AccessPolicy::BiometricOnly
-        } else {
-            AccessPolicy::None
-        }
+        self.access_policy
     }
 
-    /// Create params with backward-compatible biometric field set automatically.
+    /// Build a new `BridgeParams`.
+    #[must_use]
     pub fn new(
         data: String,
         access_policy: AccessPolicy,
@@ -59,7 +60,6 @@ impl BridgeParams {
         Self {
             data,
             access_policy,
-            biometric: access_policy == AccessPolicy::BiometricOnly,
             app_name,
             key_label,
         }
@@ -161,7 +161,6 @@ mod tests {
         assert_eq!(parsed.method, "encrypt");
         assert_eq!(parsed.params.data, "aGVsbG8=");
         assert_eq!(parsed.params.access_policy, AccessPolicy::BiometricOnly);
-        assert!(parsed.params.biometric); // backward compat field
         assert_eq!(parsed.params.app_name, "test-app");
         assert_eq!(parsed.params.key_label, "cache-key");
     }
@@ -173,11 +172,22 @@ mod tests {
         assert_eq!(parsed.method, "init");
         assert_eq!(parsed.params.data, "");
         assert_eq!(parsed.params.access_policy, AccessPolicy::None);
-        assert!(!parsed.params.biometric);
         assert_eq!(parsed.params.app_name, "");
         assert_eq!(parsed.params.key_label, "");
     }
 
+    #[test]
+    fn bridge_request_ignores_legacy_biometric_field() {
+        // Older callers may still include `biometric: true` on the wire.
+        // We must not silently honor it — access_policy is authoritative.
+        // Unknown fields are ignored by serde's default, so the legacy
+        // flag simply has no effect.
+        let json = r#"{"method":"encrypt","params":{"biometric":true,"access_policy":"none","app_name":"a","key_label":"k"}}"#;
+        let parsed: BridgeRequest = serde_json::from_str(json).unwrap();
+        assert_eq!(parsed.params.access_policy, AccessPolicy::None);
+        assert_eq!(parsed.params.effective_access_policy(), AccessPolicy::None);
+    }
+
     #[test]
     fn bridge_response_success_construction() {
         let resp = BridgeResponse::success("c29tZSBkYXRh");
@@ -316,7 +326,6 @@ mod tests {
         let params: BridgeParams = serde_json::from_str(json).unwrap();
         assert_eq!(params.data, "");
         assert_eq!(params.access_policy, AccessPolicy::None);
-        assert!(!params.biometric);
         assert_eq!(params.app_name, "");
         assert_eq!(params.key_label, "");
     }
@@ -330,8 +339,8 @@ mod tests {
     }
 
     #[test]
-    fn bridge_params_legacy_biometric_true_maps_to_biometric_only() {
-        let json = r#"{"data":"","biometric":true,"app_name":"test","key_label":"k"}"#;
+    fn bridge_params_biometric_only_access_policy() {
+        let json = r#"{"access_policy":"biometric_only","app_name":"t","key_label":"k"}"#;
         let params: BridgeParams = serde_json::from_str(json).unwrap();
         assert_eq!(
             params.effective_access_policy(),
@@ -340,27 +349,20 @@ mod tests {
     }
 
     #[test]
-    fn bridge_params_access_policy_takes_precedence_over_biometric() {
-        // When access_policy is explicitly set to a non-None value, it wins.
-        let json = r#"{"access_policy":"any","biometric":true,"app_name":"t","key_label":"k"}"#;
+    fn bridge_params_any_access_policy() {
+        let json = r#"{"access_policy":"any","app_name":"t","key_label":"k"}"#;
         let params: BridgeParams = serde_json::from_str(json).unwrap();
         assert_eq!(params.effective_access_policy(), AccessPolicy::Any);
     }
 
     #[test]
-    fn bridge_params_legacy_biometric_true_with_none_policy() {
-        // When access_policy is the default None but biometric is true,
-        // biometric should still win.
-        let json = r#"{"access_policy":"none","biometric":true,"app_name":"t","key_label":"k"}"#;
-        let params: BridgeParams = serde_json::from_str(json).unwrap();
-        assert_eq!(
-            params.effective_access_policy(),
-            AccessPolicy::BiometricOnly
-        );
-    }
-
-    #[test]
-    fn bridge_params_new_sets_biometric_compat() {
+    fn bridge_params_wire_format_omits_biometric_field() {
+        // We must not serialize a `biometric` field on the wire — old
+        // servers that preferred it over `access_policy` would observe
+        // a false value and silently downgrade. Note: the
+        // `biometric_only` access-policy enum variant string contains
+        // the substring `biometric`, so the assertion must check for
+        // the quoted JSON key specifically.
         let params = BridgeParams::new(
             String::new(),
             AccessPolicy::BiometricOnly,
@@ -368,7 +370,7 @@ mod tests {
             "key".into(),
         );
         let json = serde_json::to_string(&params).unwrap();
-        assert!(json.contains("\"biometric\":true"));
+        assert!(!json.contains("\"biometric\""));
         assert!(json.contains("\"access_policy\":\"biometric_only\""));
     }
 
@@ -435,11 +437,9 @@ mod tests {
 
     #[test]
     fn effective_access_policy_with_all_variants() {
-        // Explicit Any takes precedence
         let params = BridgeParams::new(String::new(), AccessPolicy::Any, "a".into(), "k".into());
         assert_eq!(params.effective_access_policy(), AccessPolicy::Any);
 
-        // Explicit PasswordOnly takes precedence
         let params = BridgeParams::new(
             String::new(),
             AccessPolicy::PasswordOnly,
@@ -448,31 +448,10 @@ mod tests {
         );
         assert_eq!(params.effective_access_policy(), AccessPolicy::PasswordOnly);
 
-        // None with no biometric
         let params = BridgeParams::new(String::new(), AccessPolicy::None, "a".into(), "k".into());
         assert_eq!(params.effective_access_policy(), AccessPolicy::None);
     }
 
-    #[test]
-    fn bridge_params_new_biometric_only_for_biometric_only_policy() {
-        let p1 = BridgeParams::new(
-            String::new(),
-            AccessPolicy::BiometricOnly,
-            "a".into(),
-            "k".into(),
-        );
-        let j1 = serde_json::to_string(&p1).unwrap();
-        assert!(j1.contains("\"biometric\":true"));
-
-        let p2 = BridgeParams::new(String::new(), AccessPolicy::Any, "a".into(), "k".into());
-        let j2 = serde_json::to_string(&p2).unwrap();
-        assert!(j2.contains("\"biometric\":false"));
-
-        let p3 = BridgeParams::new(String::new(), AccessPolicy::None, "a".into(), "k".into());
-        let j3 = serde_json::to_string(&p3).unwrap();
-        assert!(j3.contains("\"biometric\":false"));
-    }
-
     #[test]
     fn bridge_params_roundtrip_preserves_all_fields() {
         let original = BridgeParams::new(
diff --git a/crates/enclaveapp-cache/Cargo.toml b/crates/enclaveapp-cache/Cargo.toml
index a855b20..1f62247 100644
--- a/crates/enclaveapp-cache/Cargo.toml
+++ b/crates/enclaveapp-cache/Cargo.toml
@@ -9,6 +9,8 @@ description = "Shared binary cache format for enclave apps"
 
 [dependencies]
 enclaveapp-core = { workspace = true }
+fs4 = { workspace = true }
+sha2 = { workspace = true }
 
 [dev-dependencies]
 tempfile = { workspace = true }
diff --git a/crates/enclaveapp-cache/src/envelope.rs b/crates/enclaveapp-cache/src/envelope.rs
new file mode 100644
index 0000000..dd4e3b5
--- /dev/null
+++ b/crates/enclaveapp-cache/src/envelope.rs
@@ -0,0 +1,396 @@
+// Copyright 2024 Jay Gowdy
+// SPDX-License-Identifier: MIT
+
+//! Authenticated envelope for credential-cache plaintext.
+//!
+//! Wraps the plaintext handed to an [`EncryptionStorage`] backend with:
+//!
+//! - a SHA-256 digest of the cache file's **unencrypted** header bytes,
+//!   so tampering with the header (timestamps, risk level, flags) is
+//!   detected at decrypt time — closes the "no AAD on the header" gap
+//!   that previously let an attacker rewind `risk_level` downward or
+//!   extend a cached credential's client-side validity window; and
+//!
+//! - a monotonic `u64` rollback counter, compared on read to a
+//!   sidecar `<cache>.counter` file, so replay of an older valid
+//!   ciphertext is detected for the remaining validity window.
+//!
+//! # Design
+//!
+//! We intentionally do **not** change the `EnclaveEncryptor` trait
+//! signature. Threading an `aad: &[u8]` parameter through four
+//! platform backends and the WSL bridge protocol is an order of
+//! magnitude larger change than we can ship responsibly right now,
+//! and the security delivered by this app-layer approach is
+//! equivalent: tampering is detected before any decrypted bytes
+//! cross the caller boundary.
+//!
+//! # Wire format of the plaintext fed to `encrypt()`
+//!
+//! ```text
+//! [4B magic "APL1"]
+//! [32B SHA-256(header_bytes)]
+//! [8B BE u64 monotonic counter]
+//! [N bytes original payload]
+//! ```
+//!
+//! `header_bytes` is the full unencrypted prefix of the cache file —
+//! magic + version + flags + app-specific header fields — whatever the
+//! caller wants to bind. Both sides must compute it identically.
+//!
+//! # Backward compatibility
+//!
+//! [`unwrap_plaintext`] accepts legacy plaintext that does **not**
+//! start with `APL1` and returns it verbatim with `counter = 0`.
+//! Existing caches written before this module shipped continue to
+//! decrypt and use; the next write puts them into the new envelope.
+//! The sidecar counter defaults to 0 when missing — rollback
+//! detection kicks in as soon as the first wrapped write lands.
+
+use sha2::{Digest, Sha256};
+use std::path::{Path, PathBuf};
+
+/// Magic bytes at the start of a wrapped plaintext: "APL1" (Auth PayLoad v1).
+pub const ENVELOPE_MAGIC: &[u8; 4] = b"APL1";
+
+/// SHA-256 digest length.
+pub const HEADER_HASH_LEN: usize = 32;
+
+/// u64 counter length.
+pub const COUNTER_LEN: usize = 8;
+
+/// Minimum wrapped-plaintext length = magic + hash + counter.
+pub const ENVELOPE_OVERHEAD: usize = ENVELOPE_MAGIC.len() + HEADER_HASH_LEN + COUNTER_LEN;
+
+/// Errors produced by envelope unwrap.
+#[derive(Debug)]
+pub enum EnvelopeError {
+    /// The decrypted plaintext's embedded header hash did not match the
+    /// hash of the observed unencrypted header. The cache header was
+    /// tampered with.
+    HeaderMismatch,
+    /// The decrypted plaintext's counter is less than the last-seen
+    /// counter recorded in the sidecar. This is a rollback to an
+    /// earlier valid ciphertext.
+    Rollback {
+        observed: u64,
+        expected_at_least: u64,
+    },
+    /// I/O error reading or writing the counter sidecar.
+    CounterIo(std::io::Error),
+}
+
+impl std::fmt::Display for EnvelopeError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::HeaderMismatch => write!(
+                f,
+                "cache header does not match the hash bound into the encrypted payload: \
+                 the header was modified after encryption"
+            ),
+            Self::Rollback {
+                observed,
+                expected_at_least,
+            } => write!(
+                f,
+                "cache counter rolled back: observed {observed}, expected >= {expected_at_least}"
+            ),
+            Self::CounterIo(e) => write!(f, "counter sidecar I/O: {e}"),
+        }
+    }
+}
+
+impl std::error::Error for EnvelopeError {
+    fn source(&self) -> Option<&(dyn std::error::Error + 'static)> {
+        match self {
+            Self::CounterIo(e) => Some(e),
+            _ => None,
+        }
+    }
+}
+
+impl From<std::io::Error> for EnvelopeError {
+    fn from(e: std::io::Error) -> Self {
+        Self::CounterIo(e)
+    }
+}
+
+/// Wrap the caller's payload in an authenticated envelope.
+///
+/// The returned bytes are the plaintext that should be passed to
+/// `storage.encrypt(...)`.
+#[must_use]
+pub fn wrap_plaintext(header_bytes: &[u8], counter: u64, payload: &[u8]) -> Vec<u8> {
+    let header_hash = Sha256::digest(header_bytes);
+    let mut out = Vec::with_capacity(ENVELOPE_OVERHEAD + payload.len());
+    out.extend_from_slice(ENVELOPE_MAGIC);
+    out.extend_from_slice(&header_hash);
+    out.extend_from_slice(&counter.to_be_bytes());
+    out.extend_from_slice(payload);
+    out
+}
+
+/// Result of unwrapping a decrypted plaintext.
+#[derive(Debug)]
+pub enum Unwrapped {
+    /// Legacy plaintext that was not wrapped. The caller gets the
+    /// decrypted bytes verbatim with no header-binding or rollback
+    /// protection. These will be upgraded to the new format on the
+    /// next write.
+    Legacy { payload: Vec<u8> },
+    /// New-format envelope. Header binding verified; counter surfaced
+    /// so the caller can write it back to the sidecar if it's higher
+    /// than the last seen value.
+    Versioned { counter: u64, payload: Vec<u8> },
+}
+
+impl Unwrapped {
+    /// Borrow the payload regardless of envelope version.
+    #[must_use]
+    pub fn payload(&self) -> &[u8] {
+        match self {
+            Self::Legacy { payload } | Self::Versioned { payload, .. } => payload,
+        }
+    }
+
+    /// Consume and return the payload.
+    #[must_use]
+    pub fn into_payload(self) -> Vec<u8> {
+        match self {
+            Self::Legacy { payload } | Self::Versioned { payload, .. } => payload,
+        }
+    }
+}
+
+/// Unwrap a decrypted plaintext.
+///
+/// - If the plaintext starts with `ENVELOPE_MAGIC`, the header hash is
+///   verified against `header_bytes` and the counter is compared to
+///   `min_counter`. Returns [`Unwrapped::Versioned`] on success.
+/// - Otherwise, the bytes are treated as legacy pre-envelope plaintext
+///   and returned verbatim as [`Unwrapped::Legacy`].
+#[allow(deprecated)] // sha2 0.10 / generic-array 0.14 interaction; tracked upstream
+pub fn unwrap_plaintext(
+    header_bytes: &[u8],
+    min_counter: u64,
+    decrypted: &[u8],
+) -> Result<Unwrapped, EnvelopeError> {
+    if decrypted.len() < ENVELOPE_OVERHEAD || &decrypted[..ENVELOPE_MAGIC.len()] != ENVELOPE_MAGIC {
+        return Ok(Unwrapped::Legacy {
+            payload: decrypted.to_vec(),
+        });
+    }
+
+    let hash_start = ENVELOPE_MAGIC.len();
+    let hash_end = hash_start + HEADER_HASH_LEN;
+    let observed_hash = &decrypted[hash_start..hash_end];
+    let expected_hash = Sha256::digest(header_bytes);
+    if observed_hash != expected_hash.as_slice() {
+        return Err(EnvelopeError::HeaderMismatch);
+    }
+
+    let counter_start = hash_end;
+    let counter_end = counter_start + COUNTER_LEN;
+    let mut counter_bytes = [0_u8; COUNTER_LEN];
+    counter_bytes.copy_from_slice(&decrypted[counter_start..counter_end]);
+    let counter = u64::from_be_bytes(counter_bytes);
+    if counter < min_counter {
+        return Err(EnvelopeError::Rollback {
+            observed: counter,
+            expected_at_least: min_counter,
+        });
+    }
+
+    let payload = decrypted[counter_end..].to_vec();
+    Ok(Unwrapped::Versioned { counter, payload })
+}
+
+// ---------------------------------------------------------------------------
+// Counter sidecar
+// ---------------------------------------------------------------------------
+
+/// Compute the sidecar path for the counter of a given cache file.
+#[must_use]
+pub fn counter_path(cache_path: &Path) -> PathBuf {
+    let mut p = cache_path.to_path_buf();
+    let mut name = p.file_name().map(|n| n.to_os_string()).unwrap_or_default();
+    name.push(".counter");
+    p.set_file_name(name);
+    p
+}
+
+/// Read the counter sidecar, returning 0 when the file is missing.
+///
+/// A missing file is treated as "never seen before" rather than an
+/// error — this matches the legacy-cache migration posture: a
+/// first-time read after the envelope ships has no prior counter to
+/// compare against.
+pub fn read_counter(cache_path: &Path) -> Result<u64, EnvelopeError> {
+    let path = counter_path(cache_path);
+    match std::fs::read(&path) {
+        Ok(bytes) if bytes.len() >= COUNTER_LEN => {
+            let mut buf = [0_u8; COUNTER_LEN];
+            buf.copy_from_slice(&bytes[..COUNTER_LEN]);
+            Ok(u64::from_be_bytes(buf))
+        }
+        Ok(_) => Ok(0),
+        Err(e) if e.kind() == std::io::ErrorKind::NotFound => Ok(0),
+        Err(e) => Err(EnvelopeError::CounterIo(e)),
+    }
+}
+
+/// Write the counter sidecar atomically.
+///
+/// A cross-process `fs4` flock on the sidecar itself serializes
+/// concurrent writers so a read-modify-write of the counter is
+/// race-free between two invocations of the same enclave-app.
+pub fn write_counter(cache_path: &Path, counter: u64) -> Result<(), EnvelopeError> {
+    use fs4::fs_std::FileExt;
+    use std::io::Write;
+
+    let path = counter_path(cache_path);
+    if let Some(parent) = path.parent() {
+        std::fs::create_dir_all(parent)?;
+    }
+    let tmp_path = path.with_extension("counter.tmp");
+
+    let file = std::fs::OpenOptions::new()
+        .read(true)
+        .write(true)
+        .create(true)
+        .truncate(true)
+        .open(&tmp_path)?;
+    FileExt::lock_exclusive(&file)?;
+    let mut file = file;
+    file.write_all(&counter.to_be_bytes())?;
+    file.flush()?;
+    drop(file);
+    std::fs::rename(&tmp_path, &path)?;
+    Ok(())
+}
+
+/// Allocate the counter for the next write: `max(current_sidecar, prior_observed) + 1`.
+///
+/// `prior_observed` is the counter pulled out of the last successful
+/// decrypt (or 0 on fresh install); it defends against a scenario where
+/// an attacker deletes the sidecar file and resets it to 0 — the
+/// ciphertext itself still carries the last-seen counter inside its
+/// authenticated envelope, so the sequence can only go forward.
+#[must_use]
+pub fn next_counter(sidecar_counter: u64, prior_observed: u64) -> u64 {
+    sidecar_counter.max(prior_observed).saturating_add(1)
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used, clippy::panic)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn wrap_unwrap_roundtrip() {
+        let header = b"magic + version + flags + app-specific";
+        let payload = b"super secret credential JSON";
+        let wrapped = wrap_plaintext(header, 42, payload);
+        let unwrapped = unwrap_plaintext(header, 0, &wrapped).unwrap();
+        match unwrapped {
+            Unwrapped::Versioned {
+                counter,
+                payload: p,
+            } => {
+                assert_eq!(counter, 42);
+                assert_eq!(p, payload);
+            }
+            _ => panic!("expected Versioned"),
+        }
+    }
+
+    #[test]
+    fn unwrap_legacy_plaintext_passes_through() {
+        let header = b"header-bytes";
+        let payload = b"legacy-plaintext-no-envelope";
+        let unwrapped = unwrap_plaintext(header, 99, payload).unwrap();
+        match unwrapped {
+            Unwrapped::Legacy { payload: p } => assert_eq!(p, payload),
+            _ => panic!("expected Legacy"),
+        }
+    }
+
+    #[test]
+    fn unwrap_rejects_header_tamper() {
+        let original_header = b"ORIGINAL";
+        let tampered_header = b"TAMPERED";
+        let wrapped = wrap_plaintext(original_header, 1, b"payload");
+        let err = unwrap_plaintext(tampered_header, 0, &wrapped).unwrap_err();
+        matches!(err, EnvelopeError::HeaderMismatch);
+    }
+
+    #[test]
+    fn unwrap_rejects_rollback() {
+        let header = b"HDR";
+        let wrapped = wrap_plaintext(header, 5, b"payload");
+        let err = unwrap_plaintext(header, 10, &wrapped).unwrap_err();
+        match err {
+            EnvelopeError::Rollback {
+                observed,
+                expected_at_least,
+            } => {
+                assert_eq!(observed, 5);
+                assert_eq!(expected_at_least, 10);
+            }
+            _ => panic!("expected Rollback"),
+        }
+    }
+
+    #[test]
+    fn unwrap_accepts_counter_eq_min() {
+        let header = b"HDR";
+        let wrapped = wrap_plaintext(header, 7, b"payload");
+        let unwrapped = unwrap_plaintext(header, 7, &wrapped).unwrap();
+        match unwrapped {
+            Unwrapped::Versioned { counter, .. } => assert_eq!(counter, 7),
+            _ => panic!("expected Versioned"),
+        }
+    }
+
+    #[test]
+    fn counter_path_appends_suffix() {
+        let p = Path::new("/tmp/cache/foo.enc");
+        assert_eq!(counter_path(p), PathBuf::from("/tmp/cache/foo.enc.counter"));
+    }
+
+    #[test]
+    fn counter_read_missing_returns_zero() {
+        let dir = tempfile::tempdir().unwrap();
+        let cache_path = dir.path().join("nope.enc");
+        assert_eq!(read_counter(&cache_path).unwrap(), 0);
+    }
+
+    #[test]
+    fn counter_write_read_roundtrip() {
+        let dir = tempfile::tempdir().unwrap();
+        let cache_path = dir.path().join("roundtrip.enc");
+        write_counter(&cache_path, 12345).unwrap();
+        assert_eq!(read_counter(&cache_path).unwrap(), 12345);
+        write_counter(&cache_path, 99999).unwrap();
+        assert_eq!(read_counter(&cache_path).unwrap(), 99999);
+    }
+
+    #[test]
+    fn next_counter_takes_max_and_increments() {
+        assert_eq!(next_counter(5, 3), 6);
+        assert_eq!(next_counter(3, 5), 6);
+        assert_eq!(next_counter(0, 0), 1);
+    }
+
+    #[test]
+    fn next_counter_saturates_at_u64_max() {
+        assert_eq!(next_counter(u64::MAX, 0), u64::MAX);
+        assert_eq!(next_counter(0, u64::MAX), u64::MAX);
+    }
+
+    #[test]
+    fn envelope_overhead_is_correct() {
+        let wrapped = wrap_plaintext(b"h", 0, b"");
+        assert_eq!(wrapped.len(), ENVELOPE_OVERHEAD);
+    }
+}
diff --git a/crates/enclaveapp-cache/src/lib.rs b/crates/enclaveapp-cache/src/lib.rs
index 086f805..dfd6b1e 100644
--- a/crates/enclaveapp-cache/src/lib.rs
+++ b/crates/enclaveapp-cache/src/lib.rs
@@ -17,6 +17,8 @@ use std::path::Path;
 
 use enclaveapp_core::metadata;
 
+pub mod envelope;
+
 /// Error type for cache operations.
 #[derive(Debug)]
 pub enum CacheError {
diff --git a/crates/enclaveapp-core/Cargo.toml b/crates/enclaveapp-core/Cargo.toml
index 47296b9..e3acb55 100644
--- a/crates/enclaveapp-core/Cargo.toml
+++ b/crates/enclaveapp-core/Cargo.toml
@@ -18,4 +18,9 @@ dirs = { workspace = true }
 thiserror = { workspace = true }
 libc = { workspace = true }
 fs2 = { workspace = true }
+sha2 = { workspace = true }
 tracing = "0.1"
+
+# Windows-only: SetProcessMitigationPolicy for `harden_process`.
+[target.'cfg(windows)'.dependencies]
+windows = { workspace = true }
diff --git a/crates/enclaveapp-core/src/metadata.rs b/crates/enclaveapp-core/src/metadata.rs
index 1c8ddb6..f4b318e 100644
--- a/crates/enclaveapp-core/src/metadata.rs
+++ b/crates/enclaveapp-core/src/metadata.rs
@@ -241,6 +241,30 @@ pub fn save_meta(dir: &Path, label: &str, meta: &KeyMeta) -> Result<()> {
     atomic_write(&meta_path, json.as_bytes())
 }
 
+/// Save key metadata plus an HMAC sidecar (`<label>.meta.hmac`) that
+/// authenticates the meta JSON under `hmac_key`.
+///
+/// Intended for backends whose meta tamper is a full policy bypass —
+/// i.e. the software/keyring backend, where the hardware does not
+/// re-enforce `AccessPolicy` at sign/decrypt time. Callers that hold
+/// a per-app HMAC key (stored in the system keyring alongside the
+/// KEK) invoke this instead of [`save_meta`]. The hardware backends
+/// continue to call the plain [`save_meta`] because their key
+/// enforcement is fixed at key-creation time on the chip and cannot
+/// be relaxed by editing `.meta`.
+pub fn save_meta_with_hmac(dir: &Path, label: &str, meta: &KeyMeta, hmac_key: &[u8]) -> Result<()> {
+    crate::types::validate_label(label)?;
+    let meta_path = dir.join(format!("{label}.meta"));
+    let json =
+        serde_json::to_string_pretty(meta).map_err(|e| Error::Serialization(e.to_string()))?;
+    atomic_write(&meta_path, json.as_bytes())?;
+
+    let tag = compute_meta_hmac(hmac_key, json.as_bytes());
+    let hmac_path = dir.join(format!("{label}.meta.hmac"));
+    atomic_write(&hmac_path, tag.as_bytes())?;
+    Ok(())
+}
+
 /// Load key metadata from a JSON file. Returns a default if the file doesn't exist.
 pub fn load_meta(dir: &Path, label: &str) -> Result<KeyMeta> {
     crate::types::validate_label(label)?;
@@ -258,6 +282,95 @@ pub fn load_meta(dir: &Path, label: &str) -> Result<KeyMeta> {
     serde_json::from_str(&content).map_err(|e| Error::Serialization(e.to_string()))
 }
 
+/// Load key metadata with an HMAC check.
+///
+/// If a sidecar `<label>.meta.hmac` exists, the HMAC is verified
+/// against `hmac_key`; on mismatch, returns [`Error::KeyOperation`]
+/// with `operation = "meta_hmac_verify"`. If the sidecar is absent,
+/// the meta is loaded verbatim — this preserves migration for
+/// legacy caches from before the sidecar shipped. Callers that care
+/// about strict verification should check for sidecar presence
+/// explicitly before accepting loaded meta.
+pub fn load_meta_with_hmac(dir: &Path, label: &str, hmac_key: &[u8]) -> Result<KeyMeta> {
+    crate::types::validate_label(label)?;
+    let meta_path = dir.join(format!("{label}.meta"));
+    if !meta_path.exists() {
+        return load_meta(dir, label);
+    }
+    let content = read_to_string_no_follow(&meta_path)?;
+
+    let hmac_path = dir.join(format!("{label}.meta.hmac"));
+    if hmac_path.exists() {
+        let expected_hex = read_to_string_no_follow(&hmac_path)?;
+        let actual_hex = compute_meta_hmac(hmac_key, content.as_bytes());
+        if !constant_time_eq(expected_hex.trim().as_bytes(), actual_hex.as_bytes()) {
+            return Err(Error::KeyOperation {
+                operation: "meta_hmac_verify".into(),
+                detail: format!(
+                    "`.meta.hmac` does not match the stored `.meta` JSON for label {label}: \
+                     metadata was tampered with after save"
+                ),
+            });
+        }
+    }
+
+    serde_json::from_str(&content).map_err(|e| Error::Serialization(e.to_string()))
+}
+
+/// Compute HMAC-SHA256 over `data` keyed by `key`, hex-encoded.
+///
+/// Implemented directly over SHA-256 per RFC 2104 so we don't pull in
+/// a new dep for a single use. The output is lowercase hex, 64 chars.
+fn compute_meta_hmac(key: &[u8], data: &[u8]) -> String {
+    use sha2::{Digest, Sha256};
+
+    const BLOCK_SIZE: usize = 64; // SHA-256 block size
+
+    // Prepare K' — either pad to block size, or hash first if key > block.
+    let mut k = [0_u8; BLOCK_SIZE];
+    if key.len() > BLOCK_SIZE {
+        let hashed = Sha256::digest(key);
+        k[..hashed.len()].copy_from_slice(&hashed);
+    } else {
+        k[..key.len()].copy_from_slice(key);
+    }
+
+    let mut ipad = [0x36_u8; BLOCK_SIZE];
+    let mut opad = [0x5c_u8; BLOCK_SIZE];
+    for i in 0..BLOCK_SIZE {
+        ipad[i] ^= k[i];
+        opad[i] ^= k[i];
+    }
+
+    let mut inner = Sha256::new();
+    inner.update(ipad);
+    inner.update(data);
+    let inner_digest = inner.finalize();
+
+    let mut outer = Sha256::new();
+    outer.update(opad);
+    outer.update(inner_digest);
+    let outer_digest = outer.finalize();
+
+    let mut out = String::with_capacity(64);
+    for byte in outer_digest {
+        out.push_str(&format!("{byte:02x}"));
+    }
+    out
+}
+
+/// Constant-time equality. Returns `true` iff `a == b`.
+fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
+    if a.len() != b.len() {
+        return false;
+    }
+    let mut diff: u8 = 0;
+    for (x, y) in a.iter().zip(b.iter()) {
+        diff |= x ^ y;
+    }
+    diff == 0
+}
+
 /// Save a cached public key file.
 pub fn save_pub_key(dir: &Path, label: &str, pub_key: &[u8]) -> Result<()> {
     crate::types::validate_label(label)?;
@@ -323,7 +436,7 @@ pub fn list_labels_for_extensions(dir: &Path, extensions: &[&str]) -> Result<Vec
 /// Delete all files associated with a key label.
 pub fn delete_key_files(dir: &Path, label: &str) -> Result<()> {
     crate::types::validate_label(label)?;
-    let extensions = ["meta", "pub", "handle", "ssh.pub"];
+    let extensions = ["meta", "meta.hmac", "pub", "handle", "ssh.pub"];
     let mut found_any = false;
     for ext in &extensions {
         let path = dir.join(format!("{label}.{ext}"));
@@ -437,6 +550,88 @@ mod tests {
         dir
     }
 
+    #[test]
+    fn meta_hmac_roundtrip_accepts_unchanged_meta() {
+        let dir = test_dir();
+        let hmac_key = b"test-hmac-key-material-32-bytes!";
+        let meta = KeyMeta::new(
+            "roundtrip",
+            KeyType::Encryption,
+            AccessPolicy::BiometricOnly,
+        );
+        save_meta_with_hmac(&dir, "roundtrip", &meta, hmac_key).unwrap();
+        let loaded = load_meta_with_hmac(&dir, "roundtrip", hmac_key).unwrap();
+        assert_eq!(loaded.access_policy, AccessPolicy::BiometricOnly);
+        assert_eq!(loaded.label, "roundtrip");
+        std::fs::remove_dir_all(&dir).unwrap();
+    }
+
+    #[test]
+    fn meta_hmac_rejects_tampered_meta() {
+        let dir = test_dir();
+        let hmac_key = b"test-hmac-key-material-32-bytes!";
+        let meta = KeyMeta::new("tamper", KeyType::Encryption, AccessPolicy::BiometricOnly);
+        save_meta_with_hmac(&dir, "tamper", &meta, hmac_key).unwrap();
+
+        // Rewrite .meta to flip AccessPolicy → None, leaving the HMAC sidecar untouched.
+        let meta_path = dir.join("tamper.meta");
+        let raw = std::fs::read_to_string(&meta_path).unwrap();
+        let tampered = raw.replace("biometric_only", "none");
+        std::fs::write(&meta_path, tampered).unwrap();
+
+        let err = load_meta_with_hmac(&dir, "tamper", hmac_key).unwrap_err();
+        assert!(
+            err.to_string().contains("meta_hmac_verify"),
+            "expected HMAC-verify failure, got: {err}"
+        );
+        std::fs::remove_dir_all(&dir).unwrap();
+    }
+
+    #[test]
+    fn meta_hmac_rejects_wrong_key() {
+        let dir = test_dir();
+        let hmac_key = b"test-hmac-key-material-32-bytes!";
+        let meta = KeyMeta::new("wrongkey", KeyType::Encryption, AccessPolicy::None);
+        save_meta_with_hmac(&dir, "wrongkey", &meta, hmac_key).unwrap();
+
+        let bad_key = b"different-hmac-key-material-32by";
+        let err = load_meta_with_hmac(&dir, "wrongkey", bad_key).unwrap_err();
+        assert!(err.to_string().contains("meta_hmac_verify"));
+        std::fs::remove_dir_all(&dir).unwrap();
+    }
+
+    #[test]
+    fn meta_hmac_load_without_sidecar_is_transparent() {
+        // Legacy caches saved before the sidecar shipped must load OK.
+        let dir = test_dir();
+        let hmac_key = b"test-hmac-key-material-32-bytes!";
+        let meta = KeyMeta::new("legacy", KeyType::Signing, AccessPolicy::None);
+        save_meta(&dir, "legacy", &meta).unwrap(); // no sidecar
+        let loaded = load_meta_with_hmac(&dir, "legacy", hmac_key).unwrap();
+        assert_eq!(loaded.label, "legacy");
+        std::fs::remove_dir_all(&dir).unwrap();
+    }
+
+    #[test]
+    fn compute_meta_hmac_is_stable() {
+        // HMAC-SHA256 of an empty message under an empty key, from RFC 4231
+        // test vector 1 isn't directly applicable (uses 20-byte key), so we
+        // just assert our function is deterministic.
+        let key = b"k";
+        let data = b"message";
+        let a = compute_meta_hmac(key, data);
+        let b = compute_meta_hmac(key, data);
+        assert_eq!(a, b);
+        assert_eq!(a.len(), 64); // 32 bytes hex-encoded
+    }
+
+    #[test]
+    fn constant_time_eq_rejects_length_mismatch() {
+        assert!(!constant_time_eq(b"abc", b"abcd"));
+        assert!(constant_time_eq(b"abc", b"abc"));
+        assert!(!constant_time_eq(b"abc", b"abd"));
+    }
+
     #[test]
     fn key_meta_new_sets_timestamp() {
         let meta = KeyMeta::new("test", KeyType::Signing, AccessPolicy::None);
diff --git a/crates/enclaveapp-core/src/process.rs b/crates/enclaveapp-core/src/process.rs
index 6c08e0d..583b64b 100644
--- a/crates/enclaveapp-core/src/process.rs
+++ b/crates/enclaveapp-core/src/process.rs
@@ -13,6 +13,10 @@
 ///   to non-root peers.
 /// - On Linux, sets `PR_SET_NO_NEW_PRIVS=1` so any `exec*()` after this
 ///   point cannot gain privileges via setuid / file capabilities.
+/// - On Windows, enables a safe subset of process mitigation policies:
+///   strict handle checks, extension-point DLL disable, and image-load
+///   restrictions (no remote or low-mandatory-label images). See
+///   [`apply_windows_mitigations`] for the per-policy rationale.
 ///
 /// Should be called early in main() before any secrets are loaded.
 /// Errors are logged but not fatal — hardening is best-effort.
@@ -23,6 +27,10 @@ pub fn harden_process() {
         set_dumpable_zero();
         set_no_new_privs();
     }
+    #[cfg(target_os = "windows")]
+    {
+        apply_windows_mitigations();
+    }
 }
 
 /// Disable core dumps to prevent secrets from appearing in crash dumps.
@@ -87,6 +95,102 @@ fn set_no_new_privs() {
     }
 }
 
+/// Apply the safe subset of Windows process mitigation policies at
+/// startup.
+///
+/// Each call is best-effort — the policies are non-fatal on failure
+/// (unsupported Windows build, already-set, etc.) and simply trace a
+/// warning. The policies applied:
+///
+/// - `PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY
+///   .RaiseExceptionOnInvalidHandleReference`: any syscall that
+///   receives an invalid handle raises `STATUS_INVALID_HANDLE`
+///   immediately. Catches handle-confusion bugs that would otherwise
+///   silently operate on the wrong object. Safe for standard apps.
+/// - `PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY
+///   .DisableExtensionPoints`: blocks legacy DLL-injection extension
+///   points (AppInit_DLLs, AppCertDlls, shim engine, IMEs, winevent
+///   hooks) from loading into this process. Kills the most common
+///   unsigned-DLL-injection vector.
+/// - `PROCESS_MITIGATION_IMAGE_LOAD_POLICY
+///   .NoRemoteImages` + `.NoLowMandatoryLabelImages`: refuses to
+///   load DLLs from UNC paths and from files with the low-mandatory
+///   integrity label. Blocks the "drop a DLL onto a writable share
+///   and hijack our load search" pattern.
+///
+/// Deliberately **not** applied:
+/// - `PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY.MicrosoftSignedOnly` —
+///   breaks cargo-built unsigned apps.
+/// - `PROCESS_MITIGATION_DYNAMIC_CODE_POLICY` (ACG) — breaks JIT
+///   frameworks and some crypto providers.
+/// - `PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY.DisallowWin32kSystemCalls` —
+///   UI-less-only, risky for apps that surface any GUI.
+#[cfg(target_os = "windows")]
+#[allow(unsafe_code)]
+fn apply_windows_mitigations() {
+    // Structs live in SystemServices; function + PROCESS_MITIGATION_POLICY
+    // discriminants live in Threading. windows-rs split them across modules.
+    use windows::Win32::System::SystemServices::{
+        PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY, PROCESS_MITIGATION_IMAGE_LOAD_POLICY,
+        PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY,
+    };
+    use windows::Win32::System::Threading::{
+        ProcessExtensionPointDisablePolicy, ProcessImageLoadPolicy, ProcessStrictHandleCheckPolicy,
+        SetProcessMitigationPolicy,
+    };
+
+    // All PROCESS_MITIGATION_* policy structs are a union of a `Flags: u32`
+    // and a bitfield struct. windows-rs 0.58 exposes the structs but not
+    // the generated bitfield setters, so write the Flags word directly.
+    // Bit layout matches the Win32 headers.
+
+    // Strict handle check:
+    //   bit 0 = RaiseExceptionOnInvalidHandleReference
+    //   bit 1 = HandleExceptionsPermanentlyEnabled
+    let mut strict = PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY::default();
+    unsafe {
+        strict.Anonymous.Flags = 0b11;
+        if let Err(e) = SetProcessMitigationPolicy(
+            ProcessStrictHandleCheckPolicy,
+            std::ptr::addr_of!(strict).cast(),
+            size_of::<PROCESS_MITIGATION_STRICT_HANDLE_CHECK_POLICY>(),
+        ) {
+            tracing::warn!("SetProcessMitigationPolicy(StrictHandleCheck) failed: {e}");
+        }
+    }
+
+    // Extension-point disable:
+    //   bit 0 = DisableExtensionPoints
+    let mut extpt = PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY::default();
+    unsafe {
+        extpt.Anonymous.Flags = 0b1;
+        if let Err(e) = SetProcessMitigationPolicy(
+            ProcessExtensionPointDisablePolicy,
+            std::ptr::addr_of!(extpt).cast(),
+            size_of::<PROCESS_MITIGATION_EXTENSION_POINT_DISABLE_POLICY>(),
+        ) {
+            tracing::warn!("SetProcessMitigationPolicy(ExtensionPointDisable) failed: {e}");
+        }
+    }
+
+    // Image-load — block remote and low-mandatory-label images. Do
+    // NOT set `PreferSystem32Images` here; cargo-built apps ship
+    // their own DLLs alongside the exe and need local-dir loading.
+    //   bit 0 = NoRemoteImages
+    //   bit 1 = NoLowMandatoryLabelImages
+    let mut imgload = PROCESS_MITIGATION_IMAGE_LOAD_POLICY::default();
+    unsafe {
+        imgload.Anonymous.Flags = 0b11;
+        if let Err(e) = SetProcessMitigationPolicy(
+            ProcessImageLoadPolicy,
+            std::ptr::addr_of!(imgload).cast(),
+            size_of::<PROCESS_MITIGATION_IMAGE_LOAD_POLICY>(),
+        ) {
+            tracing::warn!("SetProcessMitigationPolicy(ImageLoad) failed: {e}");
+        }
+    }
+}
+
 /// Lock a memory region to prevent it from being paged to swap.
 ///
 /// Call this on buffers containing secrets. The memory will remain in RAM
diff --git a/crates/enclaveapp-keyring/Cargo.toml b/crates/enclaveapp-keyring/Cargo.toml
index 5565e57..b9070dc 100644
--- a/crates/enclaveapp-keyring/Cargo.toml
+++ b/crates/enclaveapp-keyring/Cargo.toml
@@ -26,6 +26,7 @@ rand = { workspace = true }
 dirs = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
+zeroize = { workspace = true }
 # keyring requires glibc (needs libdbus for D-Bus Secret Service).
 [target.'cfg(all(target_os = "linux", target_env = "gnu"))'.dependencies]
 keyring = { workspace = true, optional = true }
diff --git a/crates/enclaveapp-keyring/src/encrypt.rs b/crates/enclaveapp-keyring/src/encrypt.rs
index b01eb61..b1aa616 100644
--- a/crates/enclaveapp-keyring/src/encrypt.rs
+++ b/crates/enclaveapp-keyring/src/encrypt.rs
@@ -83,14 +83,20 @@ impl EnclaveKeyManager for SoftwareEncryptor {
 /// X9.63 KDF: SHA-256(shared_secret_x || counter_be32 || shared_info)
 /// where counter = 0x00000001 for the first (and only) block.
 /// shared_info = ephemeral public key bytes (65 bytes).
-fn derive_key(shared_secret: &p256::ecdh::SharedSecret, eph_pub_bytes: &[u8]) -> [u8; 32] {
+///
+/// The derived AES key is returned as `Zeroizing<[u8; 32]>` so the
+/// caller never holds the symmetric key past the AES-GCM op.
+fn derive_key(
+    shared_secret: &p256::ecdh::SharedSecret,
+    eph_pub_bytes: &[u8],
+) -> zeroize::Zeroizing<[u8; 32]> {
     use sha2::{Digest, Sha256};
     let mut hasher = Sha256::new();
     hasher.update(shared_secret.raw_secret_bytes());
     hasher.update([0x00, 0x00, 0x00, 0x01]); // counter = 1 (big-endian)
     hasher.update(eph_pub_bytes);
     let result = hasher.finalize();
-    let mut key = [0_u8; 32];
+    let mut key = zeroize::Zeroizing::new([0_u8; 32]);
     key.copy_from_slice(&result);
     key
 }
@@ -127,8 +133,10 @@ impl EnclaveEncryptor for SoftwareEncryptor {
         let derived_key = derive_key(&shared_secret, &eph_pub_bytes);
 
         // AES-256-GCM encrypt
-        let cipher = Aes256Gcm::new_from_slice(&derived_key).map_err(|e| Error::EncryptFailed {
-            detail: format!("AES init: {e}"),
+        let cipher = Aes256Gcm::new_from_slice(derived_key.as_slice()).map_err(|e| {
+            Error::EncryptFailed {
+                detail: format!("AES init: {e}"),
+            }
         })?;
 
         let mut nonce_bytes = [0_u8; GCM_NONCE_SIZE];
@@ -194,8 +202,10 @@ impl EnclaveEncryptor for SoftwareEncryptor {
         let derived_key = derive_key(&shared_secret, eph_pub_bytes);
 
         // AES-256-GCM decrypt
-        let cipher = Aes256Gcm::new_from_slice(&derived_key).map_err(|e| Error::DecryptFailed {
-            detail: format!("AES init: {e}"),
+        let cipher = Aes256Gcm::new_from_slice(derived_key.as_slice()).map_err(|e| {
+            Error::DecryptFailed {
+                detail: format!("AES init: {e}"),
+            }
         })?;
         let nonce = Nonce::from_slice(nonce_bytes);
 
diff --git a/crates/enclaveapp-keyring/src/key_storage.rs b/crates/enclaveapp-keyring/src/key_storage.rs
index c81e62e..c3de378 100644
--- a/crates/enclaveapp-keyring/src/key_storage.rs
+++ b/crates/enclaveapp-keyring/src/key_storage.rs
@@ -19,6 +19,11 @@ use enclaveapp_core::types::validate_label;
 use enclaveapp_core::{AccessPolicy, Error, KeyType, Result};
 use p256::SecretKey;
 use std::path::PathBuf;
+#[cfg_attr(
+    not(all(feature = "keyring-storage", target_env = "gnu")),
+    allow(unused_imports)
+)]
+use zeroize::{Zeroize, Zeroizing};
 
 /// Version byte for encrypted key files.
 const ENCRYPTED_KEY_VERSION: u8 = 0x01;
@@ -106,6 +111,50 @@ fn keyring_available(app_name: &str) -> bool {
     }
 }
 
+/// Keyring account name under which the per-app meta-HMAC key is stored.
+///
+/// The meta-HMAC key is a random 32-byte value, generated on first use
+/// and reused across all keys for the app. It authenticates
+/// `<label>.meta` JSON contents so a same-UID attacker cannot rewrite
+/// `AccessPolicy` (or any other policy-bearing meta field) without
+/// also having keyring access.
+#[cfg(all(feature = "keyring-storage", target_env = "gnu"))]
+const META_HMAC_ACCOUNT: &str = "__meta_hmac_key__";
+
+/// Load or create the per-app meta-HMAC key in the system keyring.
+///
+/// Returns `Ok(Some(key))` when keyring access succeeds, `Ok(None)`
+/// when the keyring is unavailable — callers fall back to writing
+/// plain (unauthenticated) meta in that case so the library stays
+/// functional on systems without a running Secret Service.
+///
+/// Exposed publicly so `enclaveapp-app-storage` can pass the key
+/// into `metadata::load_meta_with_hmac` at `ensure_key` time without
+/// taking its own keyring dependency.
+#[cfg(all(feature = "keyring-storage", target_env = "gnu"))]
+pub fn meta_hmac_key(app_name: &str) -> Option<Zeroizing<Vec<u8>>> {
+    use rand::RngCore;
+    let entry = keyring::Entry::new(app_name, META_HMAC_ACCOUNT).ok()?;
+    match entry.get_secret() {
+        Ok(bytes) if bytes.len() == 32 => Some(Zeroizing::new(bytes)),
+        Ok(_) | Err(_) => {
+            let mut buf = [0_u8; 32];
+            rand::thread_rng().fill_bytes(&mut buf);
+            entry.set_secret(&buf).ok()?;
+            let out = Zeroizing::new(buf.to_vec());
+            // Wipe the local array; Zeroizing only wraps the Vec copy.
+            buf.zeroize();
+            Some(out)
+        }
+    }
+}
+
+#[cfg(not(all(feature = "keyring-storage", target_env = "gnu")))]
+#[allow(dead_code)]
+pub fn meta_hmac_key(_app_name: &str) -> Option<Zeroizing<Vec<u8>>> {
+    None
+}
+
 /// Save the private key bytes to a `.key` file, encrypting with a keyring-stored
 /// KEK when `use_keyring` is true. When `use_keyring` is false (testing only),
 /// falls back to unencrypted file storage.
@@ -166,22 +215,27 @@ fn save_encrypted(
     use aes_gcm::{aead::Aead, Aes256Gcm, KeyInit, Nonce};
     use rand::RngCore;
 
-    // Generate random KEK
-    let mut kek = [0_u8; KEK_SIZE];
-    rand::thread_rng().fill_bytes(&mut kek);
+    // Generate random KEK. Wrap in Zeroizing so we wipe it after use.
+    let mut kek_arr = [0_u8; KEK_SIZE];
+    rand::thread_rng().fill_bytes(&mut kek_arr);
+    let kek = Zeroizing::new(kek_arr);
+    // Local mutable was required for fill_bytes; wipe the intermediate.
+    kek_arr.zeroize();
 
     // Store KEK in keyring
     let entry = keyring::Entry::new(app_name, label).map_err(|e| Error::KeyOperation {
         operation: "keyring_entry".into(),
         detail: e.to_string(),
     })?;
-    entry.set_secret(&kek).map_err(|e| Error::KeyOperation {
-        operation: "keyring_store".into(),
-        detail: e.to_string(),
-    })?;
+    entry
+        .set_secret(kek.as_slice())
+        .map_err(|e| Error::KeyOperation {
+            operation: "keyring_store".into(),
+            detail: e.to_string(),
+        })?;
 
     // Encrypt with AES-256-GCM
-    let cipher = Aes256Gcm::new_from_slice(&kek).map_err(|e| Error::KeyOperation {
+    let cipher = Aes256Gcm::new_from_slice(kek.as_slice()).map_err(|e| Error::KeyOperation {
         operation: "aes_init".into(),
         detail: e.to_string(),
     })?;
@@ -211,16 +265,21 @@ fn save_encrypted(
 }
 
 /// Load the private key bytes from a `.key` file, decrypting if necessary.
+///
+/// The returned `Zeroizing<Vec<u8>>` wipes the plaintext key material when
+/// the caller drops it. This is load-bearing for the threat-model commitment
+/// that keyring/software-backend plaintext key bytes do not linger in heap
+/// allocations after use.
 fn load_private_key_bytes(
     app_name: &str,
     key_path: &std::path::Path,
     label: &str,
-) -> Result<Vec<u8>> {
+) -> Result<Zeroizing<Vec<u8>>> {
     let bytes = metadata::read_no_follow(key_path)?;
 
     // Backward compatibility: raw 32-byte key (unencrypted)
     if bytes.len() == RAW_KEY_SIZE {
-        return Ok(bytes);
+        return Ok(Zeroizing::new(bytes));
     }
 
     // Encrypted format: version(1) + nonce(12) + encrypted_key(32) + tag(16) = 61
@@ -253,8 +312,16 @@ fn load_private_key_bytes(
 }
 
 /// Decrypt an encrypted key file using the KEK from the keyring.
+///
+/// The KEK retrieved from the keyring is zeroized on drop (wrapped in
+/// `Zeroizing<Vec<u8>>`). The decrypted plaintext key bytes are also
+/// returned as `Zeroizing<Vec<u8>>` so they never linger past the caller.
 #[cfg(all(feature = "keyring-storage", target_env = "gnu"))]
-fn decrypt_private_key(app_name: &str, file_data: &[u8], label: &str) -> Result<Vec<u8>> {
+fn decrypt_private_key(
+    app_name: &str,
+    file_data: &[u8],
+    label: &str,
+) -> Result<Zeroizing<Vec<u8>>> {
     use aes_gcm::{aead::Aead, Aes256Gcm, KeyInit, Nonce};
 
     let nonce_bytes = &file_data[1..1 + GCM_NONCE_SIZE];
@@ -265,10 +332,10 @@ fn decrypt_private_key(app_name: &str, file_data: &[u8], label: &str) -> Result<
         operation: "keyring_entry".into(),
         detail: e.to_string(),
     })?;
-    let kek = entry.get_secret().map_err(|e| Error::KeyOperation {
+    let kek = Zeroizing::new(entry.get_secret().map_err(|e| Error::KeyOperation {
         operation: "keyring_retrieve".into(),
         detail: format!("cannot retrieve key encryption key from keyring: {e}"),
-    })?;
+    })?);
 
     if kek.len() != KEK_SIZE {
         return Err(Error::KeyOperation {
@@ -288,6 +355,7 @@ fn decrypt_private_key(app_name: &str, file_data: &[u8], label: &str) -> Result<
 
     cipher
         .decrypt(nonce, encrypted)
+        .map(Zeroizing::new)
         .map_err(|e| Error::KeyOperation {
             operation: "decrypt_key".into(),
             detail: format!("failed to decrypt private key: {e}"),
@@ -331,16 +399,30 @@ pub fn generate_and_save(
     // SEC1 uncompressed public key (65 bytes: 0x04 || X || Y)
     let pub_bytes: Vec<u8> = public_key.to_encoded_point(false).as_bytes().to_vec();
 
-    // Save private key (encrypted if keyring is available, plaintext otherwise)
-    let secret_bytes = secret_key.to_bytes();
+    // Save private key (encrypted if keyring is available, plaintext
+    // otherwise). Wrap the plaintext byte buffer in Zeroizing so the
+    // raw key is wiped as soon as we've written the encrypted form.
+    let secret_bytes = Zeroizing::new(secret_key.to_bytes().to_vec());
     save_private_key(config, &key_path, &secret_bytes, label)?;
 
     // Save cached public key
     metadata::save_pub_key(&dir, label, &pub_bytes)?;
 
-    // Save metadata
+    // Save metadata with an HMAC sidecar so a same-UID attacker cannot
+    // rewrite `AccessPolicy` in `.meta` without also having access to
+    // the per-app meta-HMAC key in the system keyring. If the keyring
+    // is unavailable (no Secret Service) we fall back to the plain
+    // save_meta path — the keyring is strictly weaker than hardware
+    // anyway and we document the residual risk.
     let meta = KeyMeta::new(label, key_type, policy);
-    metadata::save_meta(&dir, label, &meta)?;
+    match meta_hmac_key(&config.app_name) {
+        Some(hmac_key) => {
+            metadata::save_meta_with_hmac(&dir, label, &meta, hmac_key.as_slice())?;
+        }
+        None => {
+            metadata::save_meta(&dir, label, &meta)?;
+        }
+    }
 
     Ok(pub_bytes)
 }
diff --git a/crates/enclaveapp-keyring/src/lib.rs b/crates/enclaveapp-keyring/src/lib.rs
index af794aa..7fd16a7 100644
--- a/crates/enclaveapp-keyring/src/lib.rs
+++ b/crates/enclaveapp-keyring/src/lib.rs
@@ -29,4 +29,4 @@ pub use sign::SoftwareSigner;
 #[cfg(feature = "encryption")]
 pub use encrypt::SoftwareEncryptor;
 
-pub use key_storage::{has_keyring_feature, is_available};
+pub use key_storage::{has_keyring_feature, is_available, meta_hmac_key};
diff --git a/crates/enclaveapp-test-software/Cargo.toml b/crates/enclaveapp-test-software/Cargo.toml
index e2a5ab7..2cc20dd 100644
--- a/crates/enclaveapp-test-software/Cargo.toml
+++ b/crates/enclaveapp-test-software/Cargo.toml
@@ -25,3 +25,4 @@ rand = { workspace = true }
 dirs = { workspace = true }
 serde = { workspace = true }
 serde_json = { workspace = true }
+zeroize = { workspace = true }
diff --git a/crates/enclaveapp-test-software/src/encrypt.rs b/crates/enclaveapp-test-software/src/encrypt.rs
index 3470bcb..ecfc08a 100644
--- a/crates/enclaveapp-test-software/src/encrypt.rs
+++ b/crates/enclaveapp-test-software/src/encrypt.rs
@@ -73,14 +73,17 @@ impl EnclaveKeyManager for SoftwareEncryptor {
 /// X9.63 KDF: SHA-256(shared_secret_x || counter_be32 || shared_info)
 /// where counter = 0x00000001 for the first (and only) block.
 /// shared_info = ephemeral public key bytes (65 bytes).
-fn derive_key(shared_secret: &p256::ecdh::SharedSecret, eph_pub_bytes: &[u8]) -> [u8; 32] {
+fn derive_key(
+    shared_secret: &p256::ecdh::SharedSecret,
+    eph_pub_bytes: &[u8],
+) -> zeroize::Zeroizing<[u8; 32]> {
     use sha2::{Digest, Sha256};
     let mut hasher = Sha256::new();
     hasher.update(shared_secret.raw_secret_bytes());
     hasher.update([0x00, 0x00, 0x00, 0x01]); // counter = 1 (big-endian)
     hasher.update(eph_pub_bytes);
     let result = hasher.finalize();
-    let mut key = [0_u8; 32];
+    let mut key = zeroize::Zeroizing::new([0_u8; 32]);
     key.copy_from_slice(&result);
     key
 }
@@ -117,8 +120,10 @@ impl EnclaveEncryptor for SoftwareEncryptor {
         let derived_key = derive_key(&shared_secret, &eph_pub_bytes);
 
         // AES-256-GCM encrypt
-        let cipher = Aes256Gcm::new_from_slice(&derived_key).map_err(|e| Error::EncryptFailed {
-            detail: format!("AES init: {e}"),
+        let cipher = Aes256Gcm::new_from_slice(derived_key.as_slice()).map_err(|e| {
+            Error::EncryptFailed {
+                detail: format!("AES init: {e}"),
+            }
         })?;
 
         let mut nonce_bytes = [0_u8; GCM_NONCE_SIZE];
@@ -184,8 +189,10 @@ impl EnclaveEncryptor for SoftwareEncryptor {
         let derived_key = derive_key(&shared_secret, eph_pub_bytes);
 
         // AES-256-GCM decrypt
-        let cipher = Aes256Gcm::new_from_slice(&derived_key).map_err(|e| Error::DecryptFailed {
-            detail: format!("AES init: {e}"),
+        let cipher = Aes256Gcm::new_from_slice(derived_key.as_slice()).map_err(|e| {
+            Error::DecryptFailed {
+                detail: format!("AES init: {e}"),
+            }
         })?;
         let nonce = Nonce::from_slice(nonce_bytes);
 
diff --git a/crates/enclaveapp-test-software/src/key_storage.rs b/crates/enclaveapp-test-software/src/key_storage.rs
index 206a985..fda4ee5 100644
--- a/crates/enclaveapp-test-software/src/key_storage.rs
+++ b/crates/enclaveapp-test-software/src/key_storage.rs
@@ -18,6 +18,7 @@ use enclaveapp_core::types::validate_label;
 use enclaveapp_core::{AccessPolicy, Error, KeyType, Result};
 use p256::SecretKey;
 use std::path::PathBuf;
+use zeroize::Zeroizing;
 
 /// Always available (no hardware required).
 pub fn is_available() -> bool {
@@ -78,8 +79,10 @@ pub fn generate_and_save(
     let public_key = secret_key.public_key();
     let pub_bytes: Vec<u8> = public_key.to_encoded_point(false).as_bytes().to_vec();
 
-    // Plaintext storage (test only)
-    let secret_bytes = secret_key.to_bytes();
+    // Plaintext storage (test only). The byte buffer is zeroized on
+    // drop so we don't leave key material in test-harness heaps across
+    // parallel runs.
+    let secret_bytes = Zeroizing::new(secret_key.to_bytes().to_vec());
     metadata::atomic_write(&key_path, &secret_bytes)?;
     metadata::restrict_file_permissions(&key_path)?;
 
@@ -100,7 +103,9 @@ pub fn load_secret_key(config: &SoftwareConfig, label: &str) -> Result<SecretKey
             label: label.to_string(),
         });
     }
-    let bytes = metadata::read_no_follow(&key_path)?;
+    // Wipe the raw key-file bytes after we've built the SecretKey so
+    // they don't linger in test-harness heap.
+    let bytes = Zeroizing::new(metadata::read_no_follow(&key_path)?);
     SecretKey::from_slice(&bytes).map_err(|e| Error::KeyOperation {
         operation: "load_secret_key".into(),
         detail: e.to_string(),
diff --git a/crates/enclaveapp-tpm-bridge/src/lib.rs b/crates/enclaveapp-tpm-bridge/src/lib.rs
index d9904ae..add7809 100644
--- a/crates/enclaveapp-tpm-bridge/src/lib.rs
+++ b/crates/enclaveapp-tpm-bridge/src/lib.rs
@@ -490,6 +490,41 @@ mod tests {
         assert!(storage.is_none());
     }
 
+    #[test]
+    fn destroy_and_delete_are_aliases() {
+        // Locks in the compat guarantee: the bridge server MUST honor
+        // both `destroy` and `delete` on the wire. `bridge_destroy`
+        // on the client side sends `"delete"` for backward
+        // compatibility with older servers, and newer clients may
+        // send either. Both names must produce identical semantics
+        // so neither version drifts into an "unknown method" error.
+        let destroy = make_request("destroy", "", AccessPolicy::None);
+        let delete = make_request("delete", "", AccessPolicy::None);
+
+        let mut storage_a = None;
+        let mut storage_b = None;
+        let resp_destroy = handle(&destroy, &mut storage_a);
+        let resp_delete = handle(&delete, &mut storage_b);
+
+        // Neither response should be the unknown-method sentinel —
+        // that error text is the regression guard.
+        for resp in [&resp_destroy, &resp_delete] {
+            if let Some(err) = &resp.error {
+                assert!(
+                    !err.contains("unknown method"),
+                    "bridge rejected a supported alias as unknown: {err}"
+                );
+            }
+        }
+        // Result shape must match: either both error (no TPM on this
+        // host) or both succeed.
+        assert_eq!(
+            resp_destroy.error.is_some(),
+            resp_delete.error.is_some(),
+            "destroy/delete disagreed: destroy={resp_destroy:?} delete={resp_delete:?}"
+        );
+    }
+
     #[test]
     fn handle_unknown_method() {
         let req = make_request("bogus", "", AccessPolicy::None);
diff --git a/crates/enclaveapp-windows/src/ui_policy.rs b/crates/enclaveapp-windows/src/ui_policy.rs
index a85ee41..b182ddd 100644
--- a/crates/enclaveapp-windows/src/ui_policy.rs
+++ b/crates/enclaveapp-windows/src/ui_policy.rs
@@ -12,6 +12,42 @@ use windows::core::PCWSTR;
 use windows::Win32::Security::Cryptography::*;
 use windows::Win32::Security::OBJECT_SECURITY_INFORMATION;
 
+/// Expected in-memory size of `NCRYPT_UI_POLICY` as the Windows API
+/// defines it — `DWORD dwVersion`, `DWORD dwFlags`, and three
+/// `LPCWSTR` pointers. This mirrors the C declaration in
+/// `ncrypt.h`:
+/// ```c
+/// typedef struct NCRYPT_UI_POLICY {
+///     DWORD   dwVersion;
+///     DWORD   dwFlags;
+///     LPCWSTR pszCreationTitle;
+///     LPCWSTR pszFriendlyName;
+///     LPCWSTR pszDescription;
+/// } NCRYPT_UI_POLICY;
+/// ```
+/// On 64-bit Windows: 4 + 4 + 8 + 8 + 8 = 32 bytes. The trailing
+/// pointer alignment adds nothing on x64 (pointers are already
+/// naturally aligned), so the struct lays out at exactly 32 bytes.
+/// On 32-bit Windows: 4 + 4 + 4 + 4 + 4 = 20 bytes. We support both.
+///
+/// A silent `windows-rs` struct-layout change would change
+/// `size_of::<NCRYPT_UI_POLICY>()`, which would desync from what
+/// `NCryptSetProperty` / `NCryptGetProperty` expect via the `cbInput`
+/// argument. The compile-time assertion below catches that at build
+/// time rather than at runtime.
+const EXPECTED_NCRYPT_UI_POLICY_SIZE: usize = if cfg!(target_pointer_width = "64") {
+    32
+} else {
+    20
+};
+
+const _: () = assert!(
+    std::mem::size_of::<NCRYPT_UI_POLICY>() == EXPECTED_NCRYPT_UI_POLICY_SIZE,
+    "NCRYPT_UI_POLICY layout changed — NCryptSetProperty / NCryptGetProperty \
+     cbInput values in this module will desync. Update the expected size \
+     constant after auditing the new layout."
+);
+
 /// Set a Windows Hello UI policy on a key handle.
 ///
 /// When the policy is anything other than `None`, the key is marked with