diff --git a/.github/workflows/cli-tests.yml b/.github/workflows/cli-tests.yml
new file mode 100644
index 0000000..42c4a35
--- /dev/null
+++ b/.github/workflows/cli-tests.yml
@@ -0,0 +1,30 @@
+name: CLI tests
+
+on:
+  pull_request:
+  push:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+      - name: Run test suite
+        run: ./scripts/test.sh -q
+      - name: Run static checks
+        run: |
+          .venv-test/bin/python -m pip check
+          python3 -m py_compile \
+            client.py shared.py rpc.py menu.py wallet.py mesh.py beacon.py \
+            arcium_client.py scripts/preflight.py scripts/exit_node.py \
+            scripts/demo_durable_nonce_relay.py tests/test_tcp_bridge.py
+          bash -n setup.sh scripts/headless-node.sh scripts/test.sh
+          for file in rescue_shim.mjs scripts/*.mjs; do
+            node --check "$file"
+          done
diff --git a/.gitignore b/.gitignore
index e12306c..5f4a697 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 venv/
 .venv/
+.venv-test/
 config/storage/
 __pycache__/
 node_modules/
@@ -10,6 +11,7 @@ run_client.sh
 wallet.json
 wallet_*.json
 nonce_*.json
-config/*/storage/
-config/*/interfaces/
-*.identity
\ No newline at end of file
+config/**/storage/
+config/**/interfaces/
+config/**/anonmesh_exit_identity
+*.identity
diff --git a/README.md b/README.md
index 56ba6a2..35eb333 100644
--- a/README.md
+++ b/README.md
@@ -2,9 +2,9 @@
 
 **Mesh First, Chain When It Matters.**
 
-anonmesh is a Python MVP for tunneling Solana JSON-RPC requests over [Reticulum's](https://reticulum.network/) end-to-end encrypted mesh network. Off-grid devices interact with the Solana blockchain through connected gateway nodes ("Beacons") over virtually any transport medium — LoRa, BLE, WiFi, Packet Radio, TCP hubs, and more.
+anonmesh is a Python MVP for tunneling Solana JSON-RPC requests over [Reticulum's](https://reticulum.network/) end-to-end encrypted mesh network. Off-grid devices interact with the Solana blockchain through connected gateway nodes ("Beacons") over supported Reticulum transports such as LoRa, WiFi, Packet Radio, and TCP hubs. Desktop BLE relay remains experimental.
 
-After relaying a transaction, the Beacon co-signs and submits an `execute_payment` instruction to the **ble_revshare** Anchor program, logging encrypted payment statistics via [Arcium MPC](https://arcium.com/) — so revenue-share accounting happens on-chain without leaking raw amounts.
+When configured, a Beacon can co-sign and submit an `execute_payment` instruction to the **ble_revshare** Anchor program after relaying a transaction with the required Arcium metadata. This logs encrypted payment statistics via [Arcium MPC](https://arcium.com/) without leaking raw amounts.
 
 ## Architecture
 
@@ -30,7 +30,7 @@ After relaying a transaction, the Beacon co-signs and submits an `execute_paymen
 ## Quickstart
 
 ```bash
-git clone https://github.com/Magicred-1/anonmesh_cli.git
+git clone https://github.com/anonmesh/anonmesh_cli.git
 cd anonmesh_cli
 npm install
 chmod +x setup.sh
@@ -45,34 +45,43 @@ chmod +x setup.sh
 ./setup.sh --beacon          # beacon only
 ./setup.sh --client          # client only (adds solders, qrcode)
 ./setup.sh --both            # both
-./setup.sh --systemd         # also install beacon as a systemd service
-./setup.sh --ble             # add Bluetooth Low Energy transport
-./setup.sh --meshtastic      # add Meshtastic / LoRa transport
-./setup.sh --wallet-setup    # generate signing keypair + durable nonce account
-./setup.sh --mainnet         # target Solana mainnet-beta instead of devnet
+./setup.sh --beacon --systemd       # also install a beacon systemd service
+./setup.sh --beacon --ble           # install experimental BLE research deps
+./setup.sh --beacon --meshtastic    # install Meshtastic research deps
+./setup.sh --beacon --rnode         # configure detected RNode LoRa hardware
+./setup.sh --client --wallet-setup  # interactively create wallet + nonce state
+./setup.sh --beacon --mainnet       # target Solana mainnet-beta instead of devnet
+```
+
+For unattended RNode setup, specify the serial device and legal radio region
+explicitly:
+
+```bash
+ANONMESH_RNODE_PORT=/dev/ttyUSB0 ANONMESH_RNODE_REGION=us \
+  ./setup.sh --beacon --rnode
 ```
 
 ## Configuration
 
-Copy `.env.example` to `.env` and edit:
+Create `.env` only if you need optional Arcium or wallet overrides:
 
 ```bash
-cp .env.example .env
+install -m 600 /dev/null .env
 ```
 
 Key variables:
 
 | Variable | Default | Description |
 |---|---|---|
-| `SOLANA_NETWORK` | `devnet` | `devnet` or `mainnet` |
-| `ARCIUM_ENABLED` | `1` | Set to `0` to disable Arcium MPC |
-| `ARCIUM_PAYER_KEYPAIR` | `~/.config/solana/id.json` | Keypair that pays Arcium computation fees |
+| `SOLANA_NETWORK` | `devnet` | Launcher network: `devnet` or `mainnet` |
+| `SOLANA_RPC_URL` | public network endpoint | Optional beacon RPC override |
+| `ARCIUM_ENABLED` | `0` | Set to `1` to enable Arcium MPC |
+| `ARCIUM_PAYER_KEYPAIR` | *(unset)* | Keypair that pays Arcium computation fees |
 | `ARCIUM_RPC_URL` | devnet public endpoint | RPC for Arcium transactions |
-| `ARCIUM_MXE_PUBKEY_HEX` | *(pre-filled for devnet)* | MXE x25519 public key |
+| `ARCIUM_MXE_PUBKEY_HEX` | *(unset)* | MXE x25519 public key |
 | `ARCIUM_CLUSTER_OFFSET` | `456` | `456` = devnet, `2026` = mainnet-alpha |
 | `ARCIUM_BROADCASTER_TOKEN_ACCOUNT` | *(derived)* | Beacon's SPL token account for rev-share |
 | `ARCIUM_TREASURY_TOKEN_ACCOUNT` | *(derived from broadcaster)* | Treasury token account |
-| `ANNOUNCE_INTERVAL` | `300` | Seconds between Reticulum re-announces |
 
 ## Usage
 
@@ -97,11 +106,42 @@ The beacon prints its **DESTINATION HASH** on startup — share this with client
 ./run_client.sh <BEACON_HASH> --balance <SOLANA_ADDRESS>
 ```
 
+### 3. Run a Headless Exit Node
+
+Use the headless launcher for a laptop or Linux server that only forwards RPC:
+
+```bash
+./scripts/headless-node.sh preflight
+./scripts/headless-node.sh start
+./scripts/headless-node.sh status
+./scripts/headless-node.sh logs
+./scripts/headless-node.sh stop
+```
+
+Override `ANONMESH_CONFIG_DIR`, `ANONMESH_NETWORK`, or `ANONMESH_RPC_URL` when the defaults do not match your deployment.
+Use the RPC URL environment variables for credential-bearing endpoints. The
+launchers keep those URLs out of process arguments, and runtime logs redact
+credentials, path tokens, and query parameters.
+
+## Testing
+
+```bash
+# Fresh local test environment + unit tests
+npm test -- -q
+
+# Localhost Reticulum relay → headless exit node → Solana devnet
+.venv-test/bin/python tests/test_tcp_bridge.py
+```
+
 ## Arcium MPC — execute_payment flow
 
+The current Arcium integration records encrypted payment statistics only.
+Confidential SOL balance queries are not implemented. The retained client
+`--cbalance` compatibility flag fails closed without relaying an address.
+
 After the beacon relays a `sendTransaction` containing Arcium metadata, it:
 
-1. Calls `rescue_shim.mjs get_arcium_accounts` to derive all on-chain PDA addresses.
+1. Calls `rescue_shim.mjs arcium_accounts` to derive all on-chain PDA addresses.
 2. Encrypts the payment amount with x25519 + RescueCipher (shim-side).
 3. Auto-creates any missing SPL token ATAs (payer, recipient, treasury, broadcaster).
 4. Builds a durable-nonce transaction with `execute_payment` on the **ble_revshare** program (`7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks`).
@@ -130,7 +170,7 @@ node scripts/init_comp_def_once.mjs
 |---|---|
 | `check_arcium_accounts.mjs` | Verify all Arcium PDAs / ATAs exist on devnet |
 | `fetch_idl.mjs` | Fetch the deployed program IDL |
-| `get_whitelists.js` | List whitelisted mints |
+| `get_whitelists.mjs` | List whitelisted mints |
 | `init_comp_def_once.mjs` | Initialise the `payment_stats` computation definition |
 
 Run any with:
@@ -141,20 +181,28 @@ node scripts/<script>.mjs [args]
 
 ## Reticulum configuration
 
-`setup.sh` writes `~/.reticulum/config` automatically. A working example (with the reliable public hubs) is included as [`reticulum_config`](reticulum_config) in this repo — copy it over if you need to reset:
+`setup.sh` writes `~/.reticulum/config` automatically. Re-run setup to reset that config. The included [`reticulum_config`](reticulum_config) file is an RNode reference sample; edit its serial port before using it:
 
 ```bash
 cp reticulum_config ~/.reticulum/config
+# Edit the RNode LoRa port for this machine.
+```
+
+`setup.sh` restricts `~/.reticulum` and generated launchers use `umask 077`.
+When starting `rnsd` directly, set the same umask before its first run so its
+persisted transport identity is owner-only:
+
+```bash
+umask 077
+rnsd
 ```
 
 Public TCP hubs configured by default:
 
-- `dublin.connect.reticulum.network:4965` (RNS Testnet Dublin)
-- `reticulum.betweentheborders.com:4242`
 - `rns.beleth.net:4242`
 - `dfw.us.g00n.cloud:6969`
 
-BLE and Meshtastic / LoRa interfaces are also configured (disabled by default; enable via setup flags).
+RNode LoRa is optional. `setup.sh --ble` installs `bleak` for research only; it does not configure a supported desktop BLE relay. `setup.sh --meshtastic` installs the Python dependency but requires a separately supplied Reticulum interface module. Phone BLE uses the separate Android/iOS native client.
 
 ## Dependencies
 
@@ -166,8 +214,8 @@ BLE and Meshtastic / LoRa interfaces are also configured (disabled by default; e
 | `lxmf` | Beacon discovery over the mesh |
 | `requests` | Solana RPC calls |
 | `solders` | Offline transaction signing (client) |
-| `bleak` | BLE transport (optional) |
-| `meshtastic` | LoRa transport (optional) |
+| `bleak` | Experimental desktop BLE research dependency |
+| `meshtastic` | Experimental Meshtastic research dependency |
 | `qrcode` | Wallet QR display (optional) |
 
 ### Node.js (managed by `npm install`)
@@ -183,7 +231,12 @@ BLE and Meshtastic / LoRa interfaces are also configured (disabled by default; e
 
 Transactions sent over the mesh can be delayed by minutes or hours. A [durable nonce account](https://docs.solana.com/developing/programming-model/transactions#durable-transaction-nonces) replaces the expiring blockhash so the signed transaction stays valid until it lands on-chain.
 
-`setup.sh --wallet-setup` generates a signing keypair and creates a nonce account on your behalf (~0.00145 SOL rent-exempt deposit, recoverable).
+`setup.sh --wallet-setup` is intentionally interactive. It generates a signing
+keypair and can create a nonce account on your behalf after confirmation
+(~0.00145 SOL rent-exempt deposit, recoverable). Review the prompts before using
+it with a funded wallet. Generated and reused wallet keypair JSON files, plus
+generated nonce keypair files, are restricted to owner-only `0600` permissions.
+Private key reads and writes reject final symlinks and non-regular files.
 
 The client partially signs the transaction (payer slot); the beacon co-signs (broadcaster slot) before submitting to Solana.
 
@@ -196,3 +249,7 @@ sudo systemctl start anonmesh-beacon
 sudo systemctl status anonmesh-beacon
 journalctl -u anonmesh-beacon -f
 ```
+
+`--systemd` requires `sudo`, writes `/etc/systemd/system/anon0mesh-beacon.service`,
+and enables the service for boot. Run it only when persistent beacon operation is
+intended.
diff --git a/arcium_client.py b/arcium_client.py
index 9f181bd..5864d3f 100644
--- a/arcium_client.py
+++ b/arcium_client.py
@@ -39,6 +39,7 @@
 from pathlib import Path
 from typing import Optional
 
+Pubkey = None
 try:
     from solders.keypair import Keypair
     from solders.pubkey  import Pubkey
@@ -48,7 +49,10 @@
 except ImportError:
     HAS_SOLANA = False
 
-from shared import log_info, log_ok, log_warn, log_err
+from shared import (
+    load_dotenv_private, read_private_file,
+    log_info, log_ok, log_warn, log_err, redact_urls,
+)
 
 # ── Constants ──────────────────────────────────────────────────────────────────
 # declare_id! in programs/ble-revshare/src/lib.rs + Anchor.toml [programs.devnet]
@@ -63,6 +67,61 @@
 POLL_INTERVAL          = 2.0
 POLL_TIMEOUT           = 120.0
 SHIM_PATH              = Path(__file__).parent / "rescue_shim.mjs"
+_MAX_U32               = (1 << 32) - 1
+_MAX_U64               = (1 << 64) - 1
+_MAX_U128              = (1 << 128) - 1
+_MAX_FIELD_VALUE       = (1 << 256) - 1
+_MAX_RESCUE_VALUES     = 100
+
+
+def _is_fixed_hex(value: object, byte_length: int) -> bool:
+    if not isinstance(value, str) or len(value) != byte_length * 2:
+        return False
+    try:
+        return len(bytes.fromhex(value)) == byte_length
+    except ValueError:
+        return False
+
+
+def _is_byte_array(value: object, byte_length: int) -> bool:
+    return (
+        isinstance(value, list)
+        and len(value) == byte_length
+        and all(isinstance(item, int) and not isinstance(item, bool) and 0 <= item <= 255 for item in value)
+    )
+
+
+def _is_solana_pubkey(value: object) -> bool:
+    if Pubkey is None or not isinstance(value, str):
+        return False
+    try:
+        Pubkey.from_string(value)
+    except (TypeError, ValueError):
+        return False
+    return True
+
+
+def _is_bounded_decimal(value: object, maximum: int) -> bool:
+    if (
+        not isinstance(value, str)
+        or not value.isascii()
+        or not value.isdecimal()
+        or len(value) > len(str(maximum))
+    ):
+        return False
+    return int(value) <= maximum
+
+
+def _is_field_value(value: object) -> bool:
+    return isinstance(value, int) and not isinstance(value, bool) and 0 <= value <= _MAX_FIELD_VALUE
+
+
+def _are_ciphertexts(value: object) -> bool:
+    return (
+        isinstance(value, list)
+        and 0 < len(value) <= _MAX_RESCUE_VALUES
+        and all(_is_byte_array(ciphertext, 32) for ciphertext in value)
+    )
 
 
 # ── Shim helpers ───────────────────────────────────────────────────────────────
@@ -91,33 +150,81 @@ def _run_shim(*args: str, stdin_data: str | None = None, timeout: int = 60) -> d
         data = json.loads(result.stdout)
     except json.JSONDecodeError:
         raw = result.stderr.strip() or result.stdout.strip()
-        raise RuntimeError(f"shim non-JSON output (exit {result.returncode}): {raw[:300]}")
+        raise RuntimeError(f"shim non-JSON output (exit {result.returncode}): {redact_urls(raw[:300])}")
+    if not isinstance(data, dict):
+        raise RuntimeError(f"shim returned non-object JSON (exit {result.returncode})")
+    if result.returncode != 0:
+        error = data.get("error") or result.stderr.strip() or f"shim error (exit {result.returncode})"
+        raise RuntimeError(redact_urls(str(error)))
     if not data.get("ok"):
-        raise RuntimeError(data.get("error") or f"shim error (exit {result.returncode})")
+        error = data.get("error") or f"shim error (exit {result.returncode})"
+        raise RuntimeError(redact_urls(str(error)))
     return data
 
 
 def rescue_keygen() -> tuple[str, str]:
     data = _run_shim("keygen")
-    return data["privkey_hex"], data["pubkey_hex"]
+    private_key = data.get("privkey_hex")
+    public_key = data.get("pubkey_hex")
+    if not _is_fixed_hex(private_key, 32) or not _is_fixed_hex(public_key, 32):
+        raise ValueError("shim keygen returned invalid keys")
+    return private_key, public_key
 
 
 def rescue_encrypt(mxe_pubkey_hex: str, values: list[int], nonce_hex: str | None = None) -> dict:
-    args = ["encrypt", mxe_pubkey_hex, json.dumps(values)]
-    if nonce_hex:
+    if (
+        not _is_fixed_hex(mxe_pubkey_hex, 32)
+        or not isinstance(values, list)
+        or not 0 < len(values) <= _MAX_RESCUE_VALUES
+        or any(not _is_field_value(value) for value in values)
+        or (nonce_hex is not None and not _is_fixed_hex(nonce_hex, 16))
+    ):
+        raise ValueError("invalid encrypt request")
+    args = ["encrypt", mxe_pubkey_hex]
+    if nonce_hex is not None:
         args.append(nonce_hex)
-    return _run_shim(*args)
+    data = _run_shim(*args, stdin_data=json.dumps(values))
+    ciphertexts = data.get("ciphertexts")
+    if (
+        not isinstance(ciphertexts, list)
+        or len(ciphertexts) != len(values)
+        or any(not _is_byte_array(ciphertext, 32) for ciphertext in ciphertexts)
+        or not _is_fixed_hex(data.get("pubkey_hex"), 32)
+        or not _is_fixed_hex(data.get("nonce_hex"), 16)
+        or not _is_bounded_decimal(data.get("nonce_bn"), _MAX_U128)
+        or not _is_fixed_hex(data.get("shared_secret_hex"), 32)
+    ):
+        raise ValueError("shim encrypt returned invalid payload")
+    return data
 
 
 def rescue_decrypt(shared_secret_hex: str, ciphertexts: list[list[int]], nonce_hex: str) -> list[int]:
     # shared_secret_hex is sensitive — pass via stdin, not as a CLI arg
+    if (
+        not _is_fixed_hex(shared_secret_hex, 32)
+        or not _are_ciphertexts(ciphertexts)
+        or not _is_fixed_hex(nonce_hex, 16)
+    ):
+        raise ValueError("invalid decrypt request")
     data = _run_shim("decrypt", json.dumps(ciphertexts), nonce_hex, stdin_data=shared_secret_hex)
-    return [int(v) for v in data["values"]]
+    values = data.get("values")
+    if (
+        not isinstance(values, list)
+        or len(values) != len(ciphertexts)
+        or any(not _is_bounded_decimal(value, _MAX_FIELD_VALUE) for value in values)
+    ):
+        raise ValueError("shim decrypt returned invalid values")
+    return [int(value) for value in values]
 
 
 def rescue_shared_secret(privkey_hex: str, mxe_pubkey_hex: str) -> str:
     # privkey_hex is sensitive — pass via stdin, not as a CLI arg
-    return _run_shim("shared_secret", mxe_pubkey_hex, stdin_data=privkey_hex)["shared_secret_hex"]
+    if not _is_fixed_hex(privkey_hex, 32) or not _is_fixed_hex(mxe_pubkey_hex, 32):
+        raise ValueError("invalid shared_secret request")
+    shared_secret = _run_shim("shared_secret", mxe_pubkey_hex, stdin_data=privkey_hex).get("shared_secret_hex")
+    if not _is_fixed_hex(shared_secret, 32):
+        raise ValueError("shim shared_secret returned an invalid key")
+    return shared_secret
 
 
 # ── ArciumBeaconClient ─────────────────────────────────────────────────────────
@@ -146,6 +253,14 @@ def __init__(
     ):
         if not HAS_SOLANA:
             raise ImportError("pip install solders solana")
+        if not isinstance(rpc_url, str) or not rpc_url:
+            raise ValueError("Arcium RPC URL must be a non-empty string")
+        if not _is_fixed_hex(mxe_pubkey_hex, 32):
+            raise ValueError("Arcium MXE public key must be 32 hexadecimal bytes")
+        if isinstance(cluster_offset, bool) or not isinstance(cluster_offset, int) or not 0 <= cluster_offset <= _MAX_U32:
+            raise ValueError(f"Arcium cluster offset must be between 0 and {_MAX_U32}")
+        if not _is_solana_pubkey(program_id):
+            raise ValueError("Arcium MXE program ID must be a Solana public key")
         self.rpc_url        = rpc_url
         self.payer          = payer_keypair
         self.mxe_pubkey_hex = mxe_pubkey_hex
@@ -187,6 +302,25 @@ async def log_payment_stats(
             broadcaster_token_account = os.getenv("ARCIUM_BROADCASTER_TOKEN_ACCOUNT") or None
         treasury_token_account = os.getenv("ARCIUM_TREASURY_TOKEN_ACCOUNT") or None
 
+        account_fields = (
+            payer_token_account,
+            recipient,
+            recipient_token_account,
+            mint,
+            broadcaster,
+        )
+        optional_account_fields = (broadcaster_token_account, treasury_token_account)
+        if (
+            isinstance(amount, bool)
+            or not isinstance(amount, int)
+            or not 0 <= amount <= _MAX_U64
+            or any(not _is_solana_pubkey(value) for value in account_fields)
+            or any(value is not None and not _is_solana_pubkey(value) for value in optional_account_fields)
+        ):
+            message = "invalid Arcium payment metadata"
+            log_err(message)
+            return {"status": "error", "message": message}
+
         # The shim handles encryption (x25519 + RescueCipher) using mxePubkeyHex directly.
         shim_args = json.dumps({
             "rpcUrl":                     self.rpc_url,
@@ -209,11 +343,15 @@ async def log_payment_stats(
             # shim_args contains payerKeypairHex — pass via stdin to keep it
             # out of the process argument list (/proc/<pid>/cmdline / ps aux)
             result = _run_shim("execute_payment", stdin_data=shim_args, timeout=60)
-            log_ok(f"Payment stats logged  sig={result['signature'][:20]}...")
-            return {"status": "ok", "signature": result["signature"]}
+            signature = result.get("signature")
+            if not isinstance(signature, str) or not signature:
+                raise ValueError("shim execute_payment returned an invalid signature")
+            log_ok(f"Payment stats logged  sig={signature[:20]}...")
+            return {"status": "ok", "signature": signature}
         except Exception as exc:
-            log_err(f"execute_payment failed: {exc}")
-            return {"status": "error", "message": str(exc)}
+            error = redact_urls(str(exc))
+            log_err(f"execute_payment failed: {error}")
+            return {"status": "error", "message": error}
 
     async def close(self):
         if self._client:
@@ -243,28 +381,42 @@ class ArciumBeacon:
 
     def __init__(self, client: ArciumBeaconClient | None):
         self._client = client
-        self._loop   = asyncio.new_event_loop()
-        self._thread = threading.Thread(target=self._loop.run_forever, daemon=True)
+        self._loop   = None
+        self._thread = None
         self.enabled = client is not None
         if self.enabled:
+            self._loop = asyncio.new_event_loop()
+            self._thread = threading.Thread(target=self._loop.run_forever, daemon=True)
             self._thread.start()
             fut = asyncio.run_coroutine_threadsafe(self._client.connect(), self._loop)
             try:
                 fut.result(timeout=15)
             except Exception as exc:
-                log_err(f"Arcium init failed: {exc}")
+                log_err(f"Arcium init failed: {redact_urls(str(exc))}")
                 self.enabled = False
+                self._cleanup_failed_init(fut)
+
+    def _cleanup_failed_init(self, connect_future) -> None:
+        """Bound cleanup after a failed or timed-out asynchronous connect."""
+        connect_future.cancel()
+        try:
+            close_future = asyncio.run_coroutine_threadsafe(self._client.close(), self._loop)
+            close_future.result(timeout=5)
+        except Exception as exc:
+            log_warn(f"Arcium cleanup failed: {redact_urls(str(exc))}")
+        finally:
+            self._loop.call_soon_threadsafe(self._loop.stop)
+            self._thread.join(timeout=5)
+            if self._thread.is_alive():
+                log_warn("Arcium cleanup timed out while stopping event loop")
+            else:
+                self._loop.close()
 
     @classmethod
     def from_env(cls) -> "ArciumBeacon":
         # Auto-load .env
         env_file = Path(__file__).parent / ".env"
-        if env_file.exists():
-            for line in env_file.read_text().splitlines():
-                line = line.strip()
-                if line and not line.startswith("#") and "=" in line:
-                    k, v = line.split("=", 1)
-                    os.environ.setdefault(k.strip(), v.strip())
+        load_dotenv_private(env_file)
 
         if os.getenv("ARCIUM_ENABLED", "0") != "1":
             log_info("Arcium disabled (ARCIUM_ENABLED != 1)")
@@ -289,10 +441,11 @@ def from_env(cls) -> "ArciumBeacon":
 
         try:
             kp_path = os.path.expanduser(required["ARCIUM_PAYER_KEYPAIR"])
-            with open(kp_path) as f:
-                payer = Keypair.from_bytes(bytes(json.load(f)))
+            payer = Keypair.from_bytes(bytes(json.loads(read_private_file(kp_path))))
 
             cluster_offset = int(os.getenv("ARCIUM_CLUSTER_OFFSET", str(CLUSTER_OFFSET_DEVNET)))
+            if not 0 <= cluster_offset <= _MAX_U32:
+                raise ValueError(f"ARCIUM_CLUSTER_OFFSET must be between 0 and {_MAX_U32}")
             program_id     = os.getenv("ARCIUM_MXE_PROGRAM_ID", MXE_PROGRAM_ID)
 
             client = ArciumBeaconClient(
@@ -305,8 +458,8 @@ def from_env(cls) -> "ArciumBeacon":
             log_ok(f"Arcium client ready  program={program_id[:16]}...  cluster={cluster_offset}")
             return cls(client)
 
-        except (KeyError, FileNotFoundError) as exc:
-            log_err(f"Arcium env error: {exc}")
+        except Exception as exc:
+            log_err(f"Arcium env error: {redact_urls(str(exc))}")
             return cls(None)
 
     def log_payment_stats(
@@ -335,8 +488,8 @@ def _run():
             try:
                 return fut.result(timeout=POLL_TIMEOUT + 15)
             except Exception as exc:
-                log_err(f"Arcium log_payment_stats failed: {exc}")
+                log_err(f"Arcium log_payment_stats failed: {redact_urls(str(exc))}")
 
         # Run in background thread — don't block the RPC response to the client
         threading.Thread(target=_run, daemon=True).start()
-        return {"status": "queued"}
\ No newline at end of file
+        return {"status": "queued"}
diff --git a/beacon.py b/beacon.py
index fabf54b..b0981db 100644
--- a/beacon.py
+++ b/beacon.py
@@ -12,7 +12,7 @@
 -----
   python beacon.py                          # devnet, auto config
   python beacon.py --network mainnet        # mainnet-beta
-  python beacon.py --rpc https://my.node   # custom RPC endpoint
+  SOLANA_RPC_URL=https://my.node python beacon.py  # custom RPC endpoint
   python beacon.py --config ~/.reticulum   # custom RNS config dir
 
 The beacon prints its DESTINATION HASH on startup.
@@ -26,6 +26,7 @@
 import sys
 import time
 import argparse
+import hashlib
 import os
 import json
 import threading
@@ -33,16 +34,10 @@
 # ── SSL cert fix — must happen before importing requests ──────────────────────
 # If certifi's .pem is missing (broken venv), fall back to the system bundle.
 import certifi as _certifi
-if not os.path.isfile(_certifi.where()):
-    _system_certs = "/etc/ssl/certs/ca-certificates.crt"
-    if os.path.isfile(_system_certs):
-        os.environ["REQUESTS_CA_BUNDLE"] = _system_certs
-        os.environ["SSL_CERT_FILE"]      = _system_certs
-# Also respect .env override
-_env_cert = os.getenv("REQUESTS_CA_BUNDLE", "")
-if _env_cert and os.path.isfile(_env_cert):
-    os.environ["REQUESTS_CA_BUNDLE"] = _env_cert
-    os.environ["SSL_CERT_FILE"]      = _env_cert
+_SYSTEM_CERTS = "/etc/ssl/certs/ca-certificates.crt"
+if not os.path.isfile(_certifi.where()) and os.path.isfile(_SYSTEM_CERTS):
+    os.environ.setdefault("REQUESTS_CA_BUNDLE", _SYSTEM_CERTS)
+    os.environ.setdefault("SSL_CERT_FILE", _SYSTEM_CERTS)
 
 import requests
 
@@ -78,8 +73,12 @@ def _safe_synthesize_tunnel(interface):
 # ── Local ──────────────────────────────────────────────────────────────────────
 from shared import (
     APP_NAME, APP_ASPECT, RPC_PATH, ANNOUNCE_DATA,
-    SOLANA_ENDPOINTS, RNS_REQUEST_TIMEOUT,
-    decode_json, build_response, compress_response,
+    SOLANA_ENDPOINTS, RNS_REQUEST_TIMEOUT, MAX_MESH_REQUEST_BYTES, MAX_MESH_RESPONSE_BYTES,
+    MAX_RENDERED_LOG_LINES,
+    ResponseSizeLimitError, decode_json, decode_rpc_response, build_response, compress_response,
+    read_limited_http_body, redact_url, rpc_error_message,
+    load_dotenv_private, positive_int, read_private_file,
+    restrict_private_file_permissions, save_private_identity,
     banner, log_info, log_ok, log_warn, log_err, log_tx,
     BOLD, CYAN, GREEN, RESET, DIM,
 )
@@ -87,12 +86,7 @@ def _safe_synthesize_tunnel(interface):
 # ── Auto-load .env if present ─────────────────────────────────────────────────
 from pathlib import Path
 _env_file = Path(__file__).parent / ".env"
-if _env_file.exists():
-    for _line in _env_file.read_text().splitlines():
-        _line = _line.strip()
-        if _line and not _line.startswith("#") and "=" in _line:
-            _k, _v = _line.split("=", 1)
-            os.environ.setdefault(_k.strip(), _v.strip())
+load_dotenv_private(_env_file)
 
 # ── Arcium MPC integration (optional — enabled via ARCIUM_ENABLED=1) ───────────
 try:
@@ -105,6 +99,7 @@ def _safe_synthesize_tunnel(interface):
 try:
     import base64 as _base64
     from solders.keypair    import Keypair     as _Keypair
+    from solders.pubkey     import Pubkey      as _Pubkey
     from solders.transaction import Transaction as _Transaction
     from solders.hash        import Hash        as _Hash
     HAS_SOLDERS = True
@@ -120,6 +115,14 @@ def _safe_synthesize_tunnel(interface):
 request_count           = 0
 request_lock            = threading.Lock()
 
+# ── Co-sign transaction allowlist ──────────────────────────────────────────────
+_SYSTEM_PROGRAM_ID = "11111111111111111111111111111111"
+_ATA_PROGRAM_ID = "ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL"
+_MXE_PROGRAM_ID = "7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks"
+_EXECUTE_PAYMENT_DISC = hashlib.sha256(b"global:execute_payment").digest()[:8]
+_ADVANCE_NONCE_DATA = b"\x04\x00\x00\x00"
+_MAX_U64 = (1 << 64) - 1
+
 # ═══════════════════════════════════════════════════════════════════════════════
 # RPC Forwarding
 # ═══════════════════════════════════════════════════════════════════════════════
@@ -128,6 +131,74 @@ def _safe_synthesize_tunnel(interface):
 # Arcium co-sign handlers  (getBeaconPubkey / cosignTransaction)
 # ═══════════════════════════════════════════════════════════════════════════════
 
+def _message_key_is_writable(message, index: int) -> bool:
+    header = message.header
+    if index < header.num_required_signatures:
+        return index < header.num_required_signatures - header.num_readonly_signed_accounts
+    return index < len(message.account_keys) - header.num_readonly_unsigned_accounts
+
+
+def _validate_cosign_transaction(tx) -> str | None:
+    """Return a rejection reason unless tx is the narrow execute_payment shape."""
+    try:
+        tx.sanitize()
+        message = tx.message
+        keys = list(message.account_keys)
+        signer_keys = list(message.signer_keys())
+        beacon_pubkey = beacon_cosign_keypair.pubkey()
+
+        if len(signer_keys) != 2 or signer_keys[1] != beacon_pubkey:
+            return "expected payer and beacon broadcaster signers"
+        beacon_index = keys.index(beacon_pubkey)
+        if _message_key_is_writable(message, beacon_index):
+            return "beacon broadcaster must be read-only"
+
+        signature_results = tx.verify_with_results()
+        if len(signature_results) != 2 or not signature_results[0]:
+            return "payer signature is missing or invalid"
+
+        instructions = list(message.instructions)
+        if len(instructions) < 2:
+            return "expected nonce advance and execute_payment instructions"
+
+        first = instructions[0]
+        if (
+            str(keys[first.program_id_index]) != _SYSTEM_PROGRAM_ID
+            or bytes(first.data) != _ADVANCE_NONCE_DATA
+            or beacon_index in first.accounts
+        ):
+            return "first instruction must advance a payer-authorized durable nonce"
+
+        for instruction in instructions[1:-1]:
+            accounts = list(instruction.accounts)
+            beacon_positions = [
+                index for index, account_index in enumerate(accounts)
+                if account_index == beacon_index
+            ]
+            if (
+                str(keys[instruction.program_id_index]) != _ATA_PROGRAM_ID
+                or bytes(instruction.data) != b"\x01"
+                or len(accounts) != 6
+                or beacon_positions not in ([], [2])
+            ):
+                return "only idempotent ATA creation may precede execute_payment"
+
+        final = instructions[-1]
+        final_accounts = list(final.accounts)
+        if (
+            str(keys[final.program_id_index]) != _MXE_PROGRAM_ID
+            or len(final_accounts) != 21
+            or final_accounts[1] != beacon_index
+            or final_accounts.count(beacon_index) != 1
+            or len(final.data) != 104
+            or not bytes(final.data).startswith(_EXECUTE_PAYMENT_DISC)
+        ):
+            return "final instruction must be the allowlisted execute_payment shape"
+    except Exception:
+        return "malformed transaction"
+    return None
+
+
 def _handle_get_beacon_pubkey(req_id: int) -> bytes:
     """Return the beacon's co-signing pubkey so clients can build co-sign txs."""
     if not HAS_SOLDERS or beacon_cosign_keypair is None:
@@ -146,12 +217,16 @@ def _handle_cosign_transaction(params: list, req_id: int, count: int) -> bytes:
     """
     if not HAS_SOLDERS or beacon_cosign_keypair is None:
         return build_response(error="Beacon co-signing keypair not configured", req_id=req_id)
-    if not params or not isinstance(params[0], str):
+    if not isinstance(params, list) or not params or not isinstance(params[0], str):
         return build_response(error="cosignTransaction: params[0] must be a base64 tx", req_id=req_id)
 
     try:
-        tx_bytes = _base64.b64decode(params[0])
+        tx_bytes = _base64.b64decode(params[0], validate=True)
         tx       = _Transaction.from_bytes(tx_bytes)
+        rejection = _validate_cosign_transaction(tx)
+        if rejection:
+            log_warn(f"[#{count}] Co-sign rejected: {rejection}")
+            return build_response(error=f"Co-sign rejected: {rejection}", req_id=req_id)
         bh       = tx.message.recent_blockhash
         tx.partial_sign([beacon_cosign_keypair], bh)
         fully_signed_b64 = _base64.b64encode(bytes(tx)).decode()
@@ -175,11 +250,13 @@ def _dispatch_cosign(method: str, params: list, req_id: int, count: int) -> "byt
     return None
 
 
-def _resolve_arcium_meta(params: list) -> dict:
+def _resolve_arcium_meta(params: object) -> dict:
     """Extract arcium metadata from params and fill missing token fields from env."""
     meta = {}
-    if len(params) > 1 and isinstance(params[1], dict):
-        meta = params[1].get("arcium", {})
+    if isinstance(params, list) and len(params) > 1 and isinstance(params[1], dict):
+        candidate = params[1].get("arcium", {})
+        if isinstance(candidate, dict):
+            meta = candidate
     if not meta.get("mint"):
         meta = dict(meta, mint=os.getenv("ARCIUM_MINT", ""))
     if not meta.get("payer_ta"):
@@ -193,18 +270,54 @@ def _resolve_arcium_meta(params: list) -> dict:
     return meta
 
 
+def _is_solana_pubkey(value: object) -> bool:
+    if not HAS_SOLDERS or not isinstance(value, str):
+        return False
+    try:
+        _Pubkey.from_string(value)
+    except (TypeError, ValueError):
+        return False
+    return True
+
+
 def _fire_arcium_stats(meta: dict, count: int, label: str) -> None:
-    """Call arcium.log_payment_stats if amount, mint, and payer_ta are present."""
+    """Queue Arcium stats only after required payment metadata validates locally."""
     if not arcium or not arcium.enabled:
         return
-    missing = [k for k in ("amount", "mint", "payer_ta") if not meta.get(k)]
+    missing = [k for k in ("amount", "mint", "payer_ta", "recipient", "recipient_ta") if not meta.get(k)]
     if missing:
         log_warn(f"[#{count}] Arcium skipped — missing: {', '.join(missing)}"
-                 f"  (set ARCIUM_MINT / ARCIUM_PAYER_TOKEN_ACCOUNT in .env)")
+                 f"  (set account env vars and include per-payment recipient metadata)")
+        return
+    raw_amount = meta["amount"]
+    if isinstance(raw_amount, bool):
+        amount = None
+    elif isinstance(raw_amount, int):
+        amount = raw_amount
+    elif (
+        isinstance(raw_amount, str)
+        and raw_amount.isascii()
+        and raw_amount.isdecimal()
+        and len(raw_amount) <= 20
+    ):
+        amount = int(raw_amount)
+    else:
+        amount = None
+    account_fields = (
+        "mint", "payer_ta", "recipient", "recipient_ta", "broadcaster", "broadcaster_ta",
+    )
+    if amount is None or not 0 <= amount <= _MAX_U64:
+        log_warn(f"[#{count}] Arcium skipped — amount must be a u64 integer")
+        return
+    if any(key in meta and not isinstance(meta[key], str) for key in account_fields):
+        log_warn(f"[#{count}] Arcium skipped — account metadata must be strings")
+        return
+    if any(meta.get(key) and not _is_solana_pubkey(meta[key]) for key in account_fields):
+        log_warn(f"[#{count}] Arcium skipped — account metadata must be valid Solana public keys")
         return
     try:
         arcium.log_payment_stats(
-            amount                    = int(meta["amount"]),
+            amount                    = amount,
             payer_token_account       = meta["payer_ta"],
             recipient                 = meta.get("recipient", ""),
             recipient_token_account   = meta.get("recipient_ta", ""),
@@ -217,14 +330,14 @@ def _fire_arcium_stats(meta: dict, count: int, label: str) -> None:
         log_err(f"[#{count}] Arcium execute_payment failed: {exc}")
 
 
-def _maybe_log_arcium_stats(params: list, result_bytes: bytes, count: int) -> None:
+def _maybe_log_arcium_stats(params: object, result_bytes: bytes, count: int) -> None:
     """
     Fire-and-forget: log encrypted payment stats to the Arcium MXE after a
     successful sendTransaction.  Never raises — must not block the response.
     """
     try:
         parsed_result = decode_json(result_bytes)
-        if not ("result" in parsed_result and isinstance(parsed_result["result"], str)):
+        if not isinstance(parsed_result, dict) or not isinstance(parsed_result.get("result"), str):
             return
         _fire_arcium_stats(_resolve_arcium_meta(params), count, "fire-and-forget")
     except Exception:
@@ -235,49 +348,85 @@ def _maybe_log_arcium_stats(params: list, result_bytes: bytes, count: int) -> No
 # RPC Forwarding
 # ═══════════════════════════════════════════════════════════════════════════════
 
+def _requests_verify_bundle() -> str | bool:
+    """Choose the configured CA bundle without disabling TLS verification."""
+    override = os.getenv("REQUESTS_CA_BUNDLE") or os.getenv("SSL_CERT_FILE")
+    if override:
+        return override
+    certifi_bundle = _certifi.where()
+    if os.path.isfile(certifi_bundle):
+        return certifi_bundle
+    if os.path.isfile(_SYSTEM_CERTS):
+        return _SYSTEM_CERTS
+    return True
+
+
 def forward_plain_rpc(req: dict, req_id: int, count: int, method: str) -> bytes:
     """Forward a JSON-RPC request to the Solana HTTP endpoint and return raw bytes."""
     try:
-        # Determine SSL cert path — fall back to system bundle if certifi is broken
-        import certifi as _c
-        _cert = _c.where() if os.path.isfile(_c.where()) else "/etc/ssl/certs/ca-certificates.crt"
-
         http_resp = requests.post(
             rpc_endpoint,
             json=req,
             timeout=20,
             headers={"Content-Type": "application/json"},
-            verify=_cert,
+            verify=_requests_verify_bundle(),
+            stream=True,
         )
-        http_resp.raise_for_status()
         try:
-            parsed = http_resp.json()
-            if "result" in parsed:
-                log_ok(f"[#{count}] Solana ✔  method={method}  type={type(parsed['result']).__name__}")
-            elif "error" in parsed:
-                log_warn(f"[#{count}] Solana error: {parsed['error'].get('message', '?')}")
-                logs = parsed["error"].get("data", {}) or {}
-                for line in (logs.get("logs") or []):
-                    log_warn(f"  sim> {line}")
-        except Exception:
-            pass
-        return http_resp.content
+            http_resp.raise_for_status()
+            try:
+                result_bytes = read_limited_http_body(http_resp, MAX_MESH_RESPONSE_BYTES)
+            except ResponseSizeLimitError:
+                log_err(f"[#{count}] Solana RPC response exceeds mesh size limit")
+                return build_response(error="Solana RPC response exceeds mesh size limit", req_id=req_id)
+        finally:
+            http_resp.close()
+        try:
+            parsed = decode_rpc_response(result_bytes)
+        except (UnicodeDecodeError, json.JSONDecodeError, ValueError):
+            log_err(f"[#{count}] Solana RPC returned invalid JSON-RPC response")
+            return build_response(error="Solana RPC returned invalid JSON-RPC response", req_id=req_id)
+        if "result" in parsed:
+            log_ok(f"[#{count}] Solana ✔  method={method}  type={type(parsed['result']).__name__}")
+        else:
+            error = parsed["error"]
+            log_warn(f"[#{count}] Solana error: {rpc_error_message(error)}")
+            if isinstance(error, dict):
+                logs = error.get("data", {}) or {}
+                if isinstance(logs, dict):
+                    sim_logs = logs.get("logs")
+                    if isinstance(sim_logs, list):
+                        for line in sim_logs[:MAX_RENDERED_LOG_LINES]:
+                            if isinstance(line, str):
+                                log_warn(f"  sim> {line}")
+                        if len(sim_logs) > MAX_RENDERED_LOG_LINES:
+                            log_warn(f"  sim> ... {len(sim_logs) - MAX_RENDERED_LOG_LINES} more lines omitted")
+        return result_bytes
     except requests.exceptions.Timeout:
         log_err(f"[#{count}] Solana RPC timeout  method={method}")
         return build_response(error="Solana RPC timeout", req_id=req_id)
     except requests.exceptions.ConnectionError as exc:
-        log_err(f"[#{count}] Solana connection error: {exc}")
-        return build_response(error=f"Solana connection error: {exc}", req_id=req_id)
+        log_err(
+            f"[#{count}] Solana connection error: {type(exc).__name__} "
+            f"contacting {redact_url(rpc_endpoint)}"
+        )
+        return build_response(error="Solana RPC connection error", req_id=req_id)
+    except requests.exceptions.RequestException as exc:
+        log_err(
+            f"[#{count}] Solana request error: {type(exc).__name__} "
+            f"contacting {redact_url(rpc_endpoint)}"
+        )
+        return build_response(error="Solana RPC request failed", req_id=req_id)
     except Exception as exc:
-        log_err(f"[#{count}] Unexpected error: {exc}")
-        return build_response(error=str(exc), req_id=req_id)
+        log_err(f"[#{count}] Unexpected forwarding error: {type(exc).__name__}")
+        return build_response(error="Solana RPC forwarding failed", req_id=req_id)
 
 
 def forward_to_solana(raw_request: bytes) -> bytes:
     """
     Route an incoming JSON-RPC request:
-      - Encrypted getBalance  → Arcium MPC (confidential, beacon never sees address/balance)
-      - Everything else       → plain Solana RPC
+      - Co-sign protocol methods → locally validated beacon handlers
+      - Everything else          → plain Solana RPC
     """
     global request_count
 
@@ -287,6 +436,10 @@ def forward_to_solana(raw_request: bytes) -> bytes:
         log_err(f"Failed to parse RPC payload: {exc}")
         return build_response(error=f"Invalid JSON payload: {exc}")
 
+    if not isinstance(req, dict):
+        log_err("Failed to parse RPC payload: expected a JSON object")
+        return build_response(error="Invalid JSON-RPC payload: expected object")
+
     method = req.get("method", "?")
     req_id = req.get("id", 1)
     params = req.get("params", [])
@@ -330,8 +483,11 @@ def rpc_request_handler(path, data, request_id, link_id, remote_identity, reques
         RNS.prettyhexrep(remote_identity.hash)
         if remote_identity else "anonymous"
     )
-    log_info(f"Request from {remote_id_str}  path={path}  size={len(data)}B")
-    raw = forward_to_solana(bytes(data))
+    data_bytes = bytes(data)
+    log_info(f"Request from {remote_id_str}  path={path}  size={len(data_bytes)}B")
+    if len(data_bytes) > MAX_MESH_REQUEST_BYTES:
+        return build_response(error="Mesh request exceeds size limit")
+    raw = forward_to_solana(data_bytes)
     compressed = compress_response(raw)
     if len(compressed) < len(raw):
         log_info(f"Compressed response {len(raw)}B → {len(compressed)}B ({100 - len(compressed)*100//len(raw)}% saved)")
@@ -408,14 +564,14 @@ def _test_arcium() -> None:
     except Exception as exc:
         log_warn(f"Layer 0 ✘  rescue_shim.mjs: {exc}")
         log_warn("  Fix: npm install @arcium-hq/client  (in project dir)")
-        log_warn("  Arcium confidential RPC disabled")
+        log_warn("  Arcium payment-stat logging disabled")
         arcium = None
         print()
         return
 
     # ── Layer 1: ArciumBeacon from env ────────────────────────────────────────
     if os.getenv("ARCIUM_ENABLED", "0") != "1":
-        log_info("Layer 1 –  ARCIUM_ENABLED not set — confidential RPC disabled")
+        log_info("Layer 1 –  ARCIUM_ENABLED not set — payment-stat logging disabled")
         log_info("  To enable: add ARCIUM_ENABLED=1 to your .env file")
         arcium = None
         print()
@@ -486,16 +642,18 @@ def _init_reticulum(config_path: str | None) -> None:
     else:
         log_ok("Reticulum started  (Transport identity ready)")
 
-    identity_path = os.path.join(
-        config_path or os.path.expanduser("~/.reticulum"),
-        "anonmesh_beacon_identity",
-    )
-    if os.path.isfile(identity_path):
-        beacon_identity = RNS.Identity.from_file(identity_path)
+    identity_dir = config_path or os.path.expanduser("~/.reticulum")
+    restrict_private_file_permissions(
+        os.path.join(identity_dir, "storage", "transport_identity"))
+    identity_path = os.path.join(identity_dir, "anonmesh_beacon_identity")
+    if os.path.lexists(identity_path):
+        beacon_identity = RNS.Identity.from_bytes(read_private_file(identity_path))
+        if beacon_identity is None:
+            raise OSError("Could not load persisted beacon identity")
         log_info("Loaded persisted beacon identity")
     else:
         beacon_identity = RNS.Identity()
-        beacon_identity.to_file(identity_path)
+        save_private_identity(beacon_identity, identity_path)
         log_ok("Generated new beacon identity (saved)")
 
 
@@ -510,8 +668,8 @@ def _load_cosign_keypair() -> None:
         log_info("ARCIUM_PAYER_KEYPAIR not set — cosignTransaction disabled")
         return
     try:
-        with open(os.path.expanduser(kp_path)) as f:
-            beacon_cosign_keypair = _Keypair.from_bytes(bytes(json.load(f)))
+        kp_path = os.path.expanduser(kp_path)
+        beacon_cosign_keypair = _Keypair.from_bytes(bytes(json.loads(read_private_file(kp_path))))
         log_ok(f"Co-sign keypair ready: {beacon_cosign_keypair.pubkey()}")
     except Exception as exc:
         log_warn(f"Could not load ARCIUM_PAYER_KEYPAIR for co-signing: {exc}")
@@ -525,15 +683,19 @@ def setup_beacon(config_path: str | None, network: str, custom_rpc: str | None,
     global beacon_destination, rpc_endpoint
 
     # ── Choose RPC endpoint ────────────────────────────────────────────────────
+    custom_rpc = custom_rpc or os.getenv("SOLANA_RPC_URL")
     if custom_rpc:
         rpc_endpoint = custom_rpc
-    elif network in SOLANA_ENDPOINTS:
+    elif SOLANA_ENDPOINTS.get(network):
         rpc_endpoint = SOLANA_ENDPOINTS[network]
+    elif network == "custom":
+        log_err("Custom network requires --rpc or SOLANA_RPC_URL")
+        sys.exit(1)
     else:
         log_err(f"Unknown network: {network}. Choose from {list(SOLANA_ENDPOINTS.keys())}")
         sys.exit(1)
 
-    log_info(f"Solana RPC endpoint: {rpc_endpoint}")
+    log_info(f"Solana RPC endpoint: {redact_url(rpc_endpoint)}")
 
     # ── Start Reticulum + load beacon identity ─────────────────────────────────
     _init_reticulum(config_path)
@@ -566,7 +728,7 @@ def setup_beacon(config_path: str | None, network: str, custom_rpc: str | None,
     print(f"{BOLD}{CYAN}┌─ BEACON READY ─────────────────────────────────────────────┐{RESET}")
     print(f"{BOLD}{CYAN}│{RESET}  Destination hash:  {GREEN}{BOLD}{dest_hash}{RESET}")
     print(f"{BOLD}{CYAN}│{RESET}  Network:           {network}")
-    print(f"{BOLD}{CYAN}│{RESET}  RPC endpoint:      {rpc_endpoint}")
+    print(f"{BOLD}{CYAN}│{RESET}  RPC endpoint:      {redact_url(rpc_endpoint)}")
     print(f"{BOLD}{CYAN}│{RESET}  Reticulum config:  {config_path or '~/.reticulum (default)'}")
     print(f"{BOLD}{CYAN}└────────────────────────────────────────────────────────────┘{RESET}")
     print()
@@ -581,7 +743,7 @@ def setup_beacon(config_path: str | None, network: str, custom_rpc: str | None,
     if HAS_ARCIUM_MODULE:
         _test_arcium()
     else:
-        log_warn("arcium_client.py not found — confidential RPC disabled")
+        log_warn("arcium_client.py not found — Arcium payment-stat logging disabled")
 
     # ── Start re-announce thread ───────────────────────────────────────────────
     t = threading.Thread(target=announce_loop, args=(announce_interval,), daemon=True)
@@ -610,12 +772,12 @@ def main():
     parser.add_argument(
         "--rpc",
         default=None,
-        help="Custom Solana RPC URL (overrides --network)",
+        help="Custom Solana RPC URL (overrides --network; prefer SOLANA_RPC_URL for credentials)",
     )
     parser.add_argument(
         "--announce-interval", "-a",
         default=300,
-        type=int,
+        type=positive_int,
         metavar="SECONDS",
         help="Re-announce interval after burst phase (default: 300 s)",
     )
diff --git a/client.py b/client.py
index 3ce8690..f722ea4 100644
--- a/client.py
+++ b/client.py
@@ -33,18 +33,17 @@
 from pathlib import Path
 
 # ── Load .env before any module imports that may read env vars ─────────────────
+from shared import load_dotenv_private
+
 _env = Path(__file__).parent / ".env"
-if _env.exists():
-    for _l in _env.read_text().splitlines():
-        _l = _l.strip()
-        if _l and not _l.startswith("#") and "=" in _l:
-            import os as _os
-            _k, _v = _l.split("=", 1)
-            _os.environ.setdefault(_k.strip(), _v.strip())
+load_dotenv_private(_env)
 
 # ── Module imports (after .env is loaded) ──────────────────────────────────────
 import state
-from shared import banner, log_info, log_ok, log_warn, log_err, YELLOW, GREEN, BOLD, DIM, RESET
+from shared import (
+    banner, log_info, log_ok, log_warn, log_err, positive_int,
+    YELLOW, GREEN, BOLD, DIM, RESET,
+)
 from mesh import BeaconPool, BeaconAnnounceHandler, start_reticulum, connect_all_parallel
 from rpc import (
     get_balance, confidential_get_balance,
@@ -73,11 +72,11 @@ def _build_parser() -> argparse.ArgumentParser:
                         help="Auto-discover beacons via RNS announces")
     parser.add_argument("--strategy", default="race", choices=["race", "fallback"])
     parser.add_argument("--config",   "-c", default=None)
-    parser.add_argument("--timeout",  "-t", default=30, type=int)
+    parser.add_argument("--timeout",  "-t", default=30, type=positive_int)
     parser.add_argument("--no-identify", action="store_true")
     parser.add_argument("--balance",     metavar="ADDRESS")
     parser.add_argument("--cbalance",    metavar="ADDRESS",
-                        help="Confidential balance via Arcium MPC")
+                        help="Unavailable compatibility flag: no MPC balance-query handler exists")
     parser.add_argument("--slot",        action="store_true")
     parser.add_argument("--blockhash",   action="store_true")
     parser.add_argument("--send-tx",     metavar="BASE64_TX")
@@ -144,7 +143,7 @@ def _setup_beacons(args, one_shot: bool) -> None:
     if args.beacon:
         _connect_beacons(args, one_shot)
 
-    if one_shot and args.discover and not args.beacon:
+    if one_shot and args.discover and not state.pool.active_links():
         _wait_for_discover_beacon()
 
     if one_shot:
@@ -155,13 +154,21 @@ def _setup_beacons(args, one_shot: bool) -> None:
 # One-shot command handlers
 # ═══════════════════════════════════════════════════════════════════════════════
 
+def _relay_requested() -> bool:
+    try:
+        return input(_RELAY_PROMPT).strip().lower() == "y"
+    except (EOFError, KeyboardInterrupt):
+        print()
+        return False
+
+
 def _cmd_sign_offline(args) -> None:
     if not (args.from_keypair and args.to and args.lamports):
         log_err("--sign-offline requires --from, --to, --lamports")
         return
     tx_b64 = offline_sign_transfer(
         args.from_keypair, args.to, args.lamports, args.blockhash_value)
-    if tx_b64 and input(_RELAY_PROMPT).strip().lower() == "y":
+    if tx_b64 and _relay_requested():
         send_transaction(tx_b64)
 
 
@@ -181,7 +188,7 @@ def _cmd_sign_nonce_tx(args) -> None:
         args.from_keypair, args.nonce_account, auth_path,
         args.to, args.lamports, args.nonce_value,
     )
-    if tx_b64 and input(_RELAY_PROMPT).strip().lower() == "y":
+    if tx_b64 and _relay_requested():
         send_transaction(tx_b64)
 
 
diff --git a/config/reticulum_rnode.conf b/config/reticulum_rnode.conf
index d45b23f..a5f6f20 100644
--- a/config/reticulum_rnode.conf
+++ b/config/reticulum_rnode.conf
@@ -7,7 +7,7 @@
 #
 # Usage:
 #   cp config/reticulum_rnode.conf ~/.reticulum/config
-#   rnsd  # or just start beacon.py / client.py
+#   umask 077 && rnsd  # or just start beacon.py / client.py
 #
 # Serial port:
 #   macOS:  /dev/cu.usbserial-0001  (or check: ls /dev/cu.usbserial-*)
@@ -82,25 +82,15 @@
     # codingrate      = 5
     # txpower         = 14
 
-# ── BLUETOOTH BLE ────────────────────────────────────────────────────────────
-# Enable if you have BLE support (pip install bleak).
-# Useful for phone-to-beacon pairing or short-range mesh.
-
-  [[BLE Interface]]
-    type    = BLEInterface
-    enabled = no
+# Desktop BLE relay remains experimental. Installing bleak alone does not add a
+# working Reticulum interface, so this supported RNode example does not include
+# a BLE transport block.
 
 # ── PUBLIC TCP HUBS (internet backhaul) ──────────────────────────────────────
 # These provide connectivity to the wider Reticulum network when internet is
 # available. The beacon needs at least one to reach Solana RPC endpoints.
 # The LoRa interface handles the off-grid mesh side.
 
-  [[RNS Testnet BetweenTheBorders]]
-    type        = TCPClientInterface
-    enabled     = yes
-    target_host = reticulum.betweentheborders.com
-    target_port = 4242
-
   [[Beleth RNS Hub]]
     type        = TCPClientInterface
     enabled     = yes
diff --git a/config/tcp_bridge/exit/config b/config/tcp_bridge/exit/config
new file mode 100644
index 0000000..df2d6e5
--- /dev/null
+++ b/config/tcp_bridge/exit/config
@@ -0,0 +1,13 @@
+[reticulum]
+  enable_transport      = True
+  share_instance        = Yes
+  shared_instance_port  = 37432
+  instance_control_port = 37433
+
+[interfaces]
+
+  [[TCP Bridge Client]]
+    type        = TCPClientInterface
+    enabled     = yes
+    target_host = 127.0.0.1
+    target_port = 4243
diff --git a/config/tcp_bridge/relay/config b/config/tcp_bridge/relay/config
new file mode 100644
index 0000000..d39c602
--- /dev/null
+++ b/config/tcp_bridge/relay/config
@@ -0,0 +1,13 @@
+[reticulum]
+  enable_transport      = True
+  share_instance        = Yes
+  shared_instance_port  = 37430
+  instance_control_port = 37431
+
+[interfaces]
+
+  [[TCP Bridge Server]]
+    type        = TCPServerInterface
+    enabled     = yes
+    listen_ip   = 127.0.0.1
+    listen_port = 4243
diff --git a/menu.py b/menu.py
index ab89e5d..2b6f0ce 100644
--- a/menu.py
+++ b/menu.py
@@ -12,16 +12,17 @@
 import sys
 import json
 import threading
+from decimal import Decimal, InvalidOperation
 
 import state
 from shared import (
-    log_info, log_ok, log_warn, log_err,
+    is_u64, log_info, log_ok, log_warn, log_err, rpc_error_message, terminal_safe_text,
     BOLD, CYAN, GREEN, YELLOW, RED, RESET, DIM,
     set_quiet,
 )
 from rpc import (
     rpc_call,
-    get_balance, confidential_get_balance,
+    get_balance,
     get_slot, get_block_height, get_transaction_count, get_recent_blockhash,
     get_token_accounts, send_transaction, simulate_transaction,
     get_nonce_account, get_beacon_pubkey, cosign_and_send,
@@ -41,6 +42,10 @@
 _PROMPT_NONCE_ACCT = "Nonce account pubkey"
 _INVALID_AMOUNT    = "Invalid amount"
 _NO_WALLET         = "No wallet loaded — use WALLET › Generate or Import first"
+_MAX_U32           = (1 << 32) - 1
+_MAX_U64           = (1 << 64) - 1
+_MAX_AMOUNT_TEXT_LENGTH = 512
+_MAX_NONCE_BALANCE_WORKERS = 8
 
 _W              = 56       # visible width of section fill
 _SPINNER_FRAMES = "⠋⠙⠹⠸⠼⠴⠦⠧⠇⠏"
@@ -51,6 +56,61 @@
 # Input helpers
 # ═══════════════════════════════════════════════════════════════════════════════
 
+def _parse_positive_units(raw: str, scale: int) -> int | None:
+    try:
+        if (
+            len(raw) > _MAX_AMOUNT_TEXT_LENGTH
+            or isinstance(scale, bool)
+            or not isinstance(scale, int)
+            or scale <= 0
+        ):
+            raise ValueError
+        value = Decimal(raw)
+    except (InvalidOperation, ValueError):
+        log_warn(_INVALID_AMOUNT)
+        return None
+    if not value.is_finite():
+        log_warn(_INVALID_AMOUNT)
+        return None
+    if value <= 0:
+        log_warn("Amount must be greater than 0")
+        return None
+
+    _, digits, exponent = value.as_tuple()
+    coefficient = int("".join(str(digit) for digit in digits))
+    scaled_coefficient = coefficient * scale
+    if exponent >= 0:
+        if exponent > 19 or scaled_coefficient > _MAX_U64 // (10 ** exponent):
+            log_warn("Amount exceeds maximum supported units")
+            return None
+        units = scaled_coefficient * (10 ** exponent)
+    else:
+        decimal_places = -exponent
+        if decimal_places > len(str(scaled_coefficient)):
+            log_warn("Amount has more decimal places than supported")
+            return None
+        units, remainder = divmod(scaled_coefficient, 10 ** decimal_places)
+        if remainder:
+            log_warn("Amount has more decimal places than supported")
+            return None
+
+    if units > _MAX_U64:
+        log_warn("Amount exceeds maximum supported units")
+        return None
+    return units
+
+
+def _bounded_env_int(name: str, default: str, maximum: int) -> int | None:
+    try:
+        value = int(os.getenv(name, default))
+    except ValueError:
+        value = -1
+    if not 0 <= value <= maximum:
+        log_warn(f"Invalid {name}: expected an integer between 0 and {maximum}")
+        return None
+    return value
+
+
 def _ask(prompt: str) -> str:
     try:
         return input(f"  {CYAN}›{RESET} {prompt}: ").strip()
@@ -188,14 +248,6 @@ def _do_balance():
         get_balance(addr)
 
 
-def _do_cbalance():
-    addr = _ask("Wallet address (blank = active wallet)")
-    if not addr and state.active_wallet:
-        addr = state.active_wallet["pubkey"]
-    if addr:
-        confidential_get_balance(addr)
-
-
 def _do_tokens():
     addr = _ask("Owner address (blank = active wallet)")
     if not addr and state.active_wallet:
@@ -218,7 +270,9 @@ def _fetch_balance_sol(pubkey: str) -> float | None:
         return None
     lamps = resp["result"]
     if isinstance(lamps, dict):
-        lamps = lamps.get("value", 0)
+        lamps = lamps.get("value")
+    if not is_u64(lamps):
+        return None
     return lamps / 1_000_000_000
 
 
@@ -231,7 +285,9 @@ def _select_nonce_account() -> str | None:
         return _ask(_PROMPT_NONCE_ACCT) or None
 
     with _Spinner("Fetching balances…") as sp:
-        with concurrent.futures.ThreadPoolExecutor(max_workers=len(found)) as ex:
+        with concurrent.futures.ThreadPoolExecutor(
+            max_workers=min(len(found), _MAX_NONCE_BALANCE_WORKERS),
+        ) as ex:
             futs = {ex.submit(_fetch_balance_sol, n["pubkey"]): n["pubkey"] for n in found}
             bals = {pk: fut.result() for fut, pk in
                     ((f, futs[f]) for f in concurrent.futures.as_completed(futs))}
@@ -243,7 +299,8 @@ def _select_nonce_account() -> str | None:
         bal_str = (f"  {GREEN}{bal:.9f} SOL{RESET}" if bal is not None
                    else f"  {DIM}balance unknown{RESET}")
         labels.append(
-            f"{n['pubkey'][:8]}…{n['pubkey'][-4:]}  {DIM}{n['path']}{RESET}{bal_str}"
+            f"{n['pubkey'][:8]}…{n['pubkey'][-4:]}  "
+            f"{DIM}{terminal_safe_text(n['path'])}{RESET}{bal_str}"
         )
 
     idx = _pick("Select nonce account", labels)
@@ -272,12 +329,8 @@ def _do_send_sol():
     if not to: return
     raw = _ask(_PROMPT_AMOUNT)
     if not raw: return
-    try:
-        lamports = int(float(raw) * 1_000_000_000)
-    except ValueError:
-        log_warn(_INVALID_AMOUNT); return
-    if lamports <= 0:
-        log_warn("Amount must be greater than 0"); return
+    lamports = _parse_positive_units(raw, 1_000_000_000)
+    if lamports is None: return
 
     tx_b64 = offline_sign_nonce_transfer(
         kp_path, nonce_pubkey, kp_path, to, lamports, nonce_info["nonce"]
@@ -292,11 +345,14 @@ def _broadcast_with_retry(tx_b64: str) -> None:
             if attempt > 1:
                 sp.tick(f"Retry {attempt}/{_MAX_RETRIES}…")
             resp = rpc_call("sendTransaction", [tx_b64, {"encoding": "base64"}])
-            if resp and "result" in resp:
-                sp.done(f"Confirmed  sig: {resp['result'][:20]}…")
-                print(f"\n  {GREEN}{BOLD}Signature:{RESET} {resp['result']}\n")
+            signature = resp.get("result") if isinstance(resp, dict) else None
+            if isinstance(signature, str) and signature:
+                safe_signature = terminal_safe_text(signature)
+                sp.done(f"Confirmed  sig: {safe_signature[:20]}…")
+                print(f"\n  {GREEN}{BOLD}Signature:{RESET} {safe_signature}\n")
                 return
-            err = resp.get("error", {}).get("message", "no response") if resp else "no response"
+            error = resp.get("error") if isinstance(resp, dict) else None
+            err = rpc_error_message(error, default="no response")
             sp.tick(f"Attempt {attempt} failed: {err[:50]}")
         sp.done("All broadcast attempts failed", ok=False)
 
@@ -325,14 +381,11 @@ def _do_arcium_transfer():
     if not mint: return
     raw = _ask("Amount  (token units, e.g. 1.5)")
     if not raw: return
-    try:
-        _WSOL = "So11111111111111111111111111111111111111112"
-        decimals = 9 if mint == _WSOL else int(os.getenv("ARCIUM_TOKEN_DECIMALS", "6"))
-        amount = int(float(raw) * (10 ** decimals))
-    except ValueError:
-        log_warn(_INVALID_AMOUNT); return
-    if amount <= 0:
-        log_warn("Amount must be greater than 0"); return
+    _WSOL = "So11111111111111111111111111111111111111112"
+    decimals = 9 if mint == _WSOL else _bounded_env_int("ARCIUM_TOKEN_DECIMALS", "6", 255)
+    if decimals is None: return
+    amount = _parse_positive_units(raw, 10 ** decimals)
+    if amount is None: return
 
     log_info("Fetching beacon co-signing pubkey…")
     beacon_pk = get_beacon_pubkey()
@@ -341,7 +394,8 @@ def _do_arcium_transfer():
         return
     log_ok(f"Beacon (broadcaster): {beacon_pk}")
 
-    cluster_offset         = int(os.getenv("ARCIUM_CLUSTER_OFFSET", "456"))
+    cluster_offset         = _bounded_env_int("ARCIUM_CLUSTER_OFFSET", "456", _MAX_U32)
+    if cluster_offset is None: return
     broadcaster_ta         = os.getenv("ARCIUM_BROADCASTER_TOKEN_ACCOUNT", "").strip() or None
 
     partial_tx = partial_sign_execute_payment(
@@ -384,10 +438,8 @@ def _do_sign_nonce():
     if not to: return
     raw   = _ask(_PROMPT_AMOUNT)
     if not raw: return
-    try:
-        lamps = int(float(raw) * 1_000_000_000)
-    except ValueError:
-        log_warn(_INVALID_AMOUNT); return
+    lamps = _parse_positive_units(raw, 1_000_000_000)
+    if lamps is None: return
     nval   = _ask("Nonce value  (blank = fetch from chain)")
     tx_b64 = offline_sign_nonce_transfer(kp, nonce, auth or kp, to, lamps, nval or None)
     if tx_b64 and _ask(_RELAY_PROMPT).lower() == "y":
@@ -469,7 +521,6 @@ def _do_raw():
     {"section": _SEC_WALLET,  "label": "Import private key",                   "fn": _do_import_wallet},
     {"section": _SEC_WALLET,  "label": "Copy public key",                      "fn": _do_copy_pubkey},
     {"section": _SEC_WALLET,  "label": "SOL balance",                          "fn": _do_balance},
-    {"section": _SEC_WALLET,  "label": "SOL balance  (confidential · Arcium)", "fn": _do_cbalance},
     {"section": _SEC_WALLET,  "label": "SPL token accounts",                   "fn": _do_tokens},
     {"section": _SEC_SEND,    "label": "Send SOL",                             "fn": _do_send_sol},
     {"section": _SEC_SEND,    "label": "Arcium payment  (beacon co-sign)",     "fn": _do_arcium_transfer},
@@ -532,7 +583,7 @@ def _render_header() -> None:
     if state.active_wallet:
         pk    = state.active_wallet["pubkey"]
         short = f"{pk[:8]}…{pk[-8:]}"
-        path  = state.active_wallet["path"]
+        path  = terminal_safe_text(state.active_wallet["path"])
         print(f"  {GREEN}◆{RESET}  {BOLD}{short}{RESET}  {DIM}{path}{RESET}")
 
     print(bar)
diff --git a/mesh.py b/mesh.py
index 02675b1..bf8b390 100644
--- a/mesh.py
+++ b/mesh.py
@@ -5,6 +5,7 @@
 BeaconLink, BeaconPool, BeaconAnnounceHandler, and startup helpers.
 """
 
+import os
 import time
 import threading
 from typing import Optional
@@ -35,7 +36,8 @@ def _safe_st(interface):
 import state
 from shared import (
     APP_NAME, APP_ASPECT, RPC_PATH, ANNOUNCE_DATA,
-    RNS_REQUEST_TIMEOUT, build_rpc, decode_json, decompress_response,
+    RNS_REQUEST_TIMEOUT, build_rpc, decode_rpc_response, decompress_response,
+    restrict_private_file_permissions, terminal_safe_text,
     log_info, log_ok, log_warn, log_err,
     BOLD, GREEN, RED, RESET, DIM,
 )
@@ -49,6 +51,20 @@ def _safe_st(interface):
 _BACKOFF = [5, 10, 20, 40, 60, 120, 300]
 
 
+def _normalize_dest_hash(dest_hash_hex: str) -> str | None:
+    dest_hash_hex = dest_hash_hex.lower().strip()
+    expected = (RNS.Reticulum.TRUNCATED_HASHLENGTH // 8) * 2
+    if len(dest_hash_hex) != expected:
+        log_err(f"Invalid hash length ({len(dest_hash_hex)} chars, need {expected})")
+        return None
+    try:
+        bytes.fromhex(dest_hash_hex)
+    except ValueError:
+        log_err("Invalid hash: expected hexadecimal characters")
+        return None
+    return dest_hash_hex
+
+
 class BeaconLink:
     """
     Manages one encrypted RNS link to one beacon.
@@ -76,6 +92,7 @@ def __init__(self, dest_hash_hex: str, label: str = ""):
         self.dest_hash      = bytes.fromhex(self.dest_hash_hex)
         self.label          = label or self.dest_hash_hex[:12] + "..."
         self.link: Optional[RNS.Link] = None
+        self._pending_link: Optional[RNS.Link] = None
         self.ready          = threading.Event()
         self.active         = False
         self._lock          = threading.Lock()
@@ -86,10 +103,23 @@ def __init__(self, dest_hash_hex: str, label: str = ""):
 
     def _on_established(self, link):
         with self._lock:
-            self.link          = link
-            self.active        = True
-            self._reconnecting = False
-            self._retry_count  = 0
+            if link is self.link and self.active:
+                return
+            if self._removed or link is not self._pending_link:
+                accepted = False
+            else:
+                accepted            = True
+                self._pending_link   = None
+                self.link            = link
+                self.active          = True
+                self._reconnecting   = False
+                self._retry_count    = 0
+        if not accepted:
+            try:
+                link.teardown()
+            except Exception:
+                pass
+            return
         log_ok(f"[{self.label}] Link established")
         if state.identify_self and state.client_identity:
             link.identify(state.client_identity)
@@ -99,6 +129,8 @@ def _on_established(self, link):
     def _on_closed(self, link):
         reason = link.teardown_reason
         with self._lock:
+            if link is not self.link:
+                return
             self.active = False
             removed     = self._removed
         self.ready.clear()
@@ -146,11 +178,15 @@ def _reconnect_loop(self) -> None:
             log_warn(f"[{self.label}] Reconnect attempt {self._retry_count} failed")
 
     def connect(self, timeout: float = 20.0) -> bool:
+        if self._is_removed():
+            return False
         if not RNS.Transport.has_path(self.dest_hash):
             log_info(f"[{self.label}] Requesting path from mesh...")
             RNS.Transport.request_path(self.dest_hash)
             deadline = time.time() + timeout
             while not RNS.Transport.has_path(self.dest_hash):
+                if self._is_removed():
+                    return False
                 if time.time() > deadline:
                     log_err(f"[{self.label}] Path resolution timed out")
                     return False
@@ -174,12 +210,16 @@ def connect(self, timeout: float = 20.0) -> bool:
             APP_ASPECT,
         )
         link = RNS.Link(dest)
+        if not self._start_link_attempt(link):
+            with self._lock:
+                return self.active and not self._removed
         link.set_link_established_callback(self._on_established)
 
-        if not self.ready.wait(timeout=timeout):
-            log_err(f"[{self.label}] Link establishment timed out")
-            return False
-        return True
+        return self._wait_for_link(link, timeout, "Link establishment timed out")
+
+    def _is_removed(self) -> bool:
+        with self._lock:
+            return self._removed
 
     def connect_with_identity(self, identity: "RNS.Identity", timeout: float = 20.0) -> bool:
         with self._lock:
@@ -193,12 +233,49 @@ def connect_with_identity(self, identity: "RNS.Identity", timeout: float = 20.0)
             APP_ASPECT,
         )
         link = RNS.Link(dest)
+        if not self._start_link_attempt(link):
+            with self._lock:
+                return self.active and not self._removed
         link.set_link_established_callback(self._on_established)
-        if not self.ready.wait(timeout=timeout):
-            log_err(f"[{self.label}] Link establishment timed out (identity fast-path)")
+        return self._wait_for_link(link, timeout, "Link establishment timed out (identity fast-path)")
+
+    def _start_link_attempt(self, link) -> bool:
+        with self._lock:
+            removed = self._removed
+            already_active = self.active
+            superseded = self._pending_link
+            if not removed and not already_active:
+                self.ready.clear()
+                self._pending_link = link
+        if superseded is not None and superseded is not link:
+            try:
+                superseded.teardown()
+            except Exception:
+                pass
+        if removed or already_active:
+            try:
+                link.teardown()
+            except Exception:
+                pass
             return False
         return True
 
+    def _wait_for_link(self, link, timeout: float, timeout_message: str) -> bool:
+        established = self.ready.wait(timeout=timeout)
+        with self._lock:
+            accepted = self.active and self.link is link
+            if self._pending_link is link:
+                self._pending_link = None
+        if accepted:
+            return True
+        try:
+            link.teardown()
+        except Exception:
+            pass
+        if not established:
+            log_err(f"[{self.label}] {timeout_message}")
+        return False
+
     def refresh_identity(self, identity: "RNS.Identity") -> None:
         with self._lock:
             self._last_identity      = identity
@@ -215,16 +292,19 @@ def refresh_identity(self, identity: "RNS.Identity") -> None:
             log_info(f"[{self.label}] Re-announce received — identity refreshed for next retry")
 
     def request(self, payload: bytes, result_event: threading.Event,
-                result_holder: list, timeout: float) -> None:
+                result_holder: list, timeout: float, result_lock=None) -> None:
         if not self.active or self.link is None:
             return
+        result_lock = result_lock or threading.Lock()
 
         def on_response(receipt):
-            if receipt.response is not None and result_holder[0] is None:
+            if receipt.response is not None:
                 try:
-                    raw = decompress_response(bytes(receipt.response))
-                    parsed = decode_json(raw)
-                    if "result" in parsed or "error" in parsed:
+                    raw    = decompress_response(bytes(receipt.response))
+                    parsed = decode_rpc_response(raw)
+                    with result_lock:
+                        if result_holder[0] is not None:
+                            return
                         result_holder[0] = parsed
                         result_holder[1] = self.label
                         result_event.set()
@@ -247,9 +327,17 @@ def on_failed(receipt):
 
     def teardown(self):
         with self._lock:
-            self._removed = True
-            self.active   = False
-            link          = self.link
+            self._removed      = True
+            self.active        = False
+            link               = self.link
+            pending_link       = self._pending_link
+            self._pending_link = None
+        self.ready.clear()
+        if pending_link is not None and pending_link is not link:
+            try:
+                pending_link.teardown()
+            except Exception:
+                pass
         if link:
             try:
                 link.teardown()
@@ -275,27 +363,22 @@ def __init__(self, strategy: str = "race", request_timeout: float = 30.0):
 
     def add_background(self, dest_hash_hex: str, label: str = "") -> None:
         """Fire-and-forget connect. Returns immediately; link becomes active in the background."""
-        dest_hash_hex = dest_hash_hex.lower().strip()
-        expected = (RNS.Reticulum.TRUNCATED_HASHLENGTH // 8) * 2
-        if len(dest_hash_hex) != expected:
-            log_err(f"Invalid hash length ({len(dest_hash_hex)} chars, need {expected})")
+        dest_hash_hex = _normalize_dest_hash(dest_hash_hex)
+        if dest_hash_hex is None:
             return
         with self._lock:
             if dest_hash_hex in self._links:
                 return
-            self._pending_count += 1
-
-        bl = BeaconLink(dest_hash_hex, label or dest_hash_hex[:12] + "...")
-        with self._lock:
+            bl = BeaconLink(dest_hash_hex, label or dest_hash_hex[:12] + "...")
             self._links[dest_hash_hex] = bl
+            self._pending_count += 1
 
         def _connect():
             ok = bl.connect(timeout=25.0)
             with self._lock:
                 self._pending_count = max(0, self._pending_count - 1)
             if not ok:
-                with self._lock:
-                    self._links.pop(dest_hash_hex, None)
+                self._discard_if_current(dest_hash_hex, bl)
 
         threading.Thread(target=_connect, daemon=True).start()
 
@@ -304,22 +387,18 @@ def pending_count(self) -> int:
             return self._pending_count
 
     def add(self, dest_hash_hex: str, label: str = "", connect: bool = True) -> bool:
-        dest_hash_hex = dest_hash_hex.lower().strip()
-        expected = (RNS.Reticulum.TRUNCATED_HASHLENGTH // 8) * 2
-        if len(dest_hash_hex) != expected:
-            log_err(f"Invalid hash length ({len(dest_hash_hex)} chars, need {expected})")
+        dest_hash_hex = _normalize_dest_hash(dest_hash_hex)
+        if dest_hash_hex is None:
             return False
         with self._lock:
             if dest_hash_hex in self._links:
                 return True
-        bl = BeaconLink(dest_hash_hex, label)
-        with self._lock:
+            bl = BeaconLink(dest_hash_hex, label)
             self._links[dest_hash_hex] = bl
         if connect:
             ok = bl.connect(timeout=20.0)
             if not ok:
-                with self._lock:
-                    del self._links[dest_hash_hex]
+                self._discard_if_current(dest_hash_hex, bl)
             return ok
         return True
 
@@ -328,22 +407,20 @@ def add_from_announce(self, dest_hash: bytes, identity: "RNS.Identity", label: s
 
         with self._lock:
             existing = self._links.get(dest_hash_hex)
+            if existing is None:
+                bl = BeaconLink(dest_hash_hex, label or dest_hash_hex[:12] + "...")
+                self._links[dest_hash_hex] = bl
 
         if existing is not None:
             existing.refresh_identity(identity)
             return
 
-        bl = BeaconLink(dest_hash_hex, label or dest_hash_hex[:12] + "...")
-        with self._lock:
-            self._links[dest_hash_hex] = bl
-
         def _open():
             ok = bl.connect_with_identity(identity, timeout=20.0)
             if ok:
                 log_ok(f"[{bl.label}] Auto-connected via announce ({self.size()} in pool)")
             else:
-                with self._lock:
-                    self._links.pop(dest_hash_hex, None)
+                self._discard_if_current(dest_hash_hex, bl)
 
         threading.Thread(target=_open, daemon=True).start()
 
@@ -364,7 +441,13 @@ def all_links(self) -> list:
             return list(self._links.values())
 
     def size(self) -> int:
-        return len(self._links)
+        with self._lock:
+            return len(self._links)
+
+    def _discard_if_current(self, dest_hash_hex: str, link: BeaconLink) -> None:
+        with self._lock:
+            if self._links.get(dest_hash_hex) is link:
+                self._links.pop(dest_hash_hex, None)
 
     def teardown_all(self) -> None:
         with self._lock:
@@ -388,8 +471,9 @@ def call(self, method: str, params=None) -> dict | None:
     def _race(self, links, payload, method):
         result_holder = [None, None]
         result_event  = threading.Event()
+        result_lock   = threading.Lock()
         for bl in links:
-            bl.request(payload, result_event, result_holder, self.request_timeout)
+            bl.request(payload, result_event, result_holder, self.request_timeout, result_lock)
         fired = result_event.wait(timeout=self.request_timeout + 5)
         if fired and result_holder[0] is not None:
             log_ok(f"Response from [{result_holder[1]}]  method={method}")
@@ -419,7 +503,7 @@ def status_table(self) -> str:
             lines.append("  (empty)")
         for bl in items:
             dot = f"{GREEN}●{RESET}" if bl.active else f"{RED}○{RESET}"
-            lines.append(f"  {dot}  {BOLD}{bl.label}{RESET}  {DIM}{bl.dest_hash_hex}{RESET}")
+            lines.append(f"  {dot}  {BOLD}{terminal_safe_text(bl.label)}{RESET}  {DIM}{bl.dest_hash_hex}{RESET}")
         lines.append("")
         return "\n".join(lines)
 
@@ -454,10 +538,9 @@ def received_announce(self, destination_hash, announced_identity, app_data):
         with self.pool._lock:
             already = hash_hex in self.pool._links
         if already:
-            log_info(f"Beacon {short} already in pool — skipping")
-            return
-
-        log_ok(f"Discovered beacon via announce: {short}")
+            log_info(f"Beacon {short} already in pool — refreshing identity")
+        else:
+            log_ok(f"Discovered beacon via announce: {short}")
         self.pool.add_from_announce(destination_hash, announced_identity, label=f"disc:{short}")
 
 
@@ -467,10 +550,16 @@ def received_announce(self, destination_hash, announced_identity, app_data):
 
 def start_reticulum(config_path) -> None:
     RNS.Reticulum(config_path)
+    identity_dir = config_path or os.path.expanduser("~/.reticulum")
     deadline = time.time() + 5.0
     while RNS.Transport.identity is None and time.time() < deadline:
         time.sleep(0.1)
-    log_ok("Reticulum started")
+    if RNS.Transport.identity is None:
+        log_warn("Transport identity not ready after 5s — proceeding")
+    else:
+        log_ok("Reticulum started")
+    restrict_private_file_permissions(
+        os.path.join(identity_dir, "storage", "transport_identity"))
     state.client_identity = RNS.Identity()
     log_info(f"Client identity: {RNS.prettyhexrep(state.client_identity.hash)}")
 
diff --git a/package-lock.json b/package-lock.json
index ddcbc96..32bcce8 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -17,9 +17,9 @@
       }
     },
     "node_modules/@arcium-hq/client": {
-      "version": "0.9.2",
-      "resolved": "https://registry.npmjs.org/@arcium-hq/client/-/client-0.9.2.tgz",
-      "integrity": "sha512-Los9eK3XAVHtp1wq50gMgoLnrFiiFskFBK69XeKNe40WUXaMN00BjVWE4JTFfHNZhwTh97YgT1Eu6RjqifW4wQ==",
+      "version": "0.9.7",
+      "resolved": "https://registry.npmjs.org/@arcium-hq/client/-/client-0.9.7.tgz",
+      "integrity": "sha512-jrZGhYagK+mI6Q8FpZvDhRNADpIEde1zHbHKBj3oyjyuUHDYqvoucZUqIdM5Zg6+fHRYOH3igRbqsOfVBUbdyg==",
       "license": "GPL-3.0-only",
       "dependencies": {
         "@coral-xyz/anchor": "0.32.1",
@@ -1002,6 +1002,18 @@
         }
       }
     },
+    "node_modules/node-gyp-build": {
+      "version": "4.8.4",
+      "resolved": "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.8.4.tgz",
+      "integrity": "sha512-LA4ZjwlnUblHVgq0oBF3Jl/6h/Nvs5fzBLwdEF4nuxnFdsfajde4WfxtJr3CaiH+F6ewcIB/q4jQ4UzPyid+CQ==",
+      "license": "MIT",
+      "optional": true,
+      "bin": {
+        "node-gyp-build": "bin.js",
+        "node-gyp-build-optional": "optional.js",
+        "node-gyp-build-test": "build-test.js"
+      }
+    },
     "node_modules/pako": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/pako/-/pako-2.1.0.tgz",
@@ -1047,9 +1059,9 @@
       "license": "MIT"
     },
     "node_modules/rpc-websockets/node_modules/uuid": {
-      "version": "11.1.0",
-      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.0.tgz",
-      "integrity": "sha512-0/A9rDy9P7cJ+8w1c9WD9V//9Wj15Ce2MPz8Ri6032usz+NfePxx5AcN3bN+r6ZL6jEo066/yNYB3tn4pQEx+A==",
+      "version": "11.1.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.1.1.tgz",
+      "integrity": "sha512-vIYxrBCC/N/K+Js3qSN88go7kIfNPssr/hHCesKCQNAjmgvYS2oqr69kIufEG+O4+PfezOH4EbIeHCfFov8ZgQ==",
       "funding": [
         "https://github.com/sponsors/broofa",
         "https://github.com/sponsors/ctavan"
@@ -1060,9 +1072,9 @@
       }
     },
     "node_modules/rpc-websockets/node_modules/ws": {
-      "version": "8.19.0",
-      "resolved": "https://registry.npmjs.org/ws/-/ws-8.19.0.tgz",
-      "integrity": "sha512-blAT2mjOEIi0ZzruJfIhb3nps74PRWTCz1IjglWEEpQl5XS/UNama6u2/rjFkDDouqr4L67ry+1aGIALViWjDg==",
+      "version": "8.21.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.21.0.tgz",
+      "integrity": "sha512-Vsp28b7DRcimFQvrqu2Wek3z1iYxDCWqHYB8Qsnk/S4RfaCQzPGPyBNuVjJV3cd6UiKtUtp6sNM77gWvzcCH+g==",
       "license": "MIT",
       "engines": {
         "node": ">=10.0.0"
diff --git a/package.json b/package.json
index 1984da3..41cf24d 100644
--- a/package.json
+++ b/package.json
@@ -2,20 +2,20 @@
   "name": "anon0mesh_cli",
   "version": "1.0.0",
   "description": "**Mesh First, Chain When It Matters.**",
-  "homepage": "https://github.com/Magicred-1/anon0mesh_cli#readme",
+  "homepage": "https://github.com/anonmesh/anonmesh_cli#readme",
   "bugs": {
-    "url": "https://github.com/Magicred-1/anon0mesh_cli/issues"
+    "url": "https://github.com/anonmesh/anonmesh_cli/issues"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/Magicred-1/anon0mesh_cli.git"
+    "url": "git+https://github.com/anonmesh/anonmesh_cli.git"
   },
   "license": "ISC",
   "author": "",
   "type": "commonjs",
   "main": "index.js",
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "./scripts/test.sh"
   },
   "dependencies": {
     "@arcium-hq/client": "^0.9.2",
diff --git a/requirements-dev.txt b/requirements-dev.txt
new file mode 100644
index 0000000..ddf59a2
--- /dev/null
+++ b/requirements-dev.txt
@@ -0,0 +1,4 @@
+-r requirements.txt
+
+pytest>=8.0,<9
+solders>=0.20
diff --git a/rescue_shim.mjs b/rescue_shim.mjs
index e79c874..793874e 100644
--- a/rescue_shim.mjs
+++ b/rescue_shim.mjs
@@ -39,11 +39,78 @@ const MXE_PROGRAM_ID = "7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks";
 
 // comp_def_offset("payment_stats")
 const COMP_DEF_NAME = "payment_stats";
+const MAX_RESCUE_VALUES = 100;
+const MAX_U64 = (1n << 64n) - 1n;
+const MAX_FIELD_VALUE = (1n << 256n) - 1n;
 
-function u8a(hex)  { return Uint8Array.from(Buffer.from(hex, "hex")); }
+function u8a(value, label = "hex value", expectedBytes = null) {
+    if (typeof value !== "string" || !/^[0-9a-fA-F]+$/.test(value) || value.length % 2 !== 0) {
+        throw new Error(`${label} must be hexadecimal bytes`);
+    }
+    const bytes = Uint8Array.from(Buffer.from(value, "hex"));
+    if (expectedBytes !== null && bytes.length !== expectedBytes) {
+        throw new Error(`${label} must be ${expectedBytes} bytes`);
+    }
+    return bytes;
+}
 function hex(u8)   { return Buffer.from(u8).toString("hex"); }
 function out(data) { console.log(JSON.stringify({ ok: true,  ...data })); }
-function fail(msg) { console.log(JSON.stringify({ ok: false, error: msg })); process.exit(1); }
+function redactUrls(msg) {
+    return String(msg).replace(/https?:\/\/[^\s"'`]+/g, "<redacted-rpc-url>");
+}
+function fail(msg) { console.log(JSON.stringify({ ok: false, error: redactUrls(msg) })); process.exit(1); }
+
+function parseU32(value, label, fallback = "456") {
+    const text = String(value ?? fallback);
+    if (!/^\d+$/.test(text)) {
+        throw new Error(`${label} must be an unsigned 32-bit integer`);
+    }
+    const parsed = Number(text);
+    if (!Number.isSafeInteger(parsed) || parsed > 0xFFFFFFFF) {
+        throw new Error(`${label} must be an unsigned 32-bit integer`);
+    }
+    return parsed;
+}
+
+function parseUnsigned(value, label, maximum) {
+    const text = String(value);
+    if (!/^\d+$/.test(text)) {
+        throw new Error(`${label} must be an unsigned decimal integer`);
+    }
+    const parsed = BigInt(text);
+    if (parsed > maximum) {
+        throw new Error(`${label} is out of range`);
+    }
+    return parsed;
+}
+
+function fieldElements(value, label) {
+    if (!Array.isArray(value) || value.length === 0 || value.length > MAX_RESCUE_VALUES) {
+        throw new Error(`${label} must contain 1-${MAX_RESCUE_VALUES} field elements`);
+    }
+    return value.map((item, index) => {
+        if (typeof item === "number" && !Number.isSafeInteger(item)) {
+            throw new Error(`${label}[${index}] must be an exact integer`);
+        }
+        return parseUnsigned(item, `${label}[${index}]`, MAX_FIELD_VALUE);
+    });
+}
+
+function byteArrays(value, label, expectedBytes) {
+    if (!Array.isArray(value) || value.length === 0 || value.length > MAX_RESCUE_VALUES) {
+        throw new Error(`${label} must contain 1-${MAX_RESCUE_VALUES} byte arrays`);
+    }
+    return value.map((item, index) => {
+        if (
+            !Array.isArray(item)
+            || item.length !== expectedBytes
+            || item.some(byte => !Number.isInteger(byte) || byte < 0 || byte > 255)
+        ) {
+            throw new Error(`${label}[${index}] must contain ${expectedBytes} bytes`);
+        }
+        return Uint8Array.from(item);
+    });
+}
 
 function deserializeLE(bytes) {
     let result = 0n;
@@ -65,12 +132,15 @@ try {
         out({ privkey_hex: hex(privateKey), pubkey_hex: hex(publicKey) });
 
     } else if (cmd === "encrypt") {
-        const [mxePubkeyHex, valuesJson, nonceHex] = args;
-        if (!mxePubkeyHex || !valuesJson) fail("usage: encrypt <mxe_pubkey_hex> <values_json> [nonce_hex]");
+        // Plaintext values are passed via stdin so confidential queries do not
+        // expose them through ps aux or /proc/<pid>/cmdline.
+        const valuesJson = readStdin();
+        const [mxePubkeyHex, nonceHex] = args;
+        if (!mxePubkeyHex || !valuesJson) fail("usage: encrypt <mxe_pubkey_hex> [nonce_hex]  (values_json via stdin)");
 
-        const mxePublicKey = u8a(mxePubkeyHex);
-        const plaintext    = JSON.parse(valuesJson).map(BigInt);
-        const nonce        = nonceHex ? u8a(nonceHex) : randomBytes(16);
+        const mxePublicKey = u8a(mxePubkeyHex, "MXE public key", 32);
+        const plaintext    = fieldElements(JSON.parse(valuesJson), "plaintext");
+        const nonce        = nonceHex ? u8a(nonceHex, "nonce", 16) : randomBytes(16);
 
         const privateKey   = x25519.utils.randomSecretKey();
         const publicKey    = x25519.getPublicKey(privateKey);
@@ -93,9 +163,9 @@ try {
         if (!sharedSecretHex || !ciphertextsJson || !nonceHex)
             fail("usage: decrypt <ciphertexts_json> <nonce_hex>  (shared_secret_hex via stdin)");
 
-        const sharedSecret = u8a(sharedSecretHex);
-        const ciphertexts  = JSON.parse(ciphertextsJson).map(ct => Uint8Array.from(ct));
-        const nonce        = u8a(nonceHex);
+        const sharedSecret = u8a(sharedSecretHex, "shared secret", 32);
+        const ciphertexts  = byteArrays(JSON.parse(ciphertextsJson), "ciphertexts", 32);
+        const nonce        = u8a(nonceHex, "nonce", 16);
         const cipher       = new RescueCipher(sharedSecret);
         const plaintext    = cipher.decrypt(ciphertexts, nonce);
         out({ values: plaintext.map(v => v.toString()) });
@@ -105,17 +175,21 @@ try {
         const privkeyHex = readStdin();
         const [mxePubkeyHex] = args;
         if (!privkeyHex || !mxePubkeyHex) fail("usage: shared_secret <mxe_pubkey_hex>  (privkey_hex via stdin)");
-        const sharedSecret = x25519.getSharedSecret(u8a(privkeyHex), u8a(mxePubkeyHex));
+        const sharedSecret = x25519.getSharedSecret(
+            u8a(privkeyHex, "private key", 32),
+            u8a(mxePubkeyHex, "MXE public key", 32),
+        );
         out({ shared_secret_hex: hex(sharedSecret) });
 
     } else if (cmd === "mxe_pubkey") {
         // Fetch MXE x25519 pubkey from chain
-        const [programId, rpcUrl] = args;
+        const [programId, rpcArg] = args;
+        if (rpcArg) fail("Pass custom RPC via ARCIUM_RPC_URL so credentials stay out of process arguments");
         const progId = programId || MXE_PROGRAM_ID;
 
         const { Connection, PublicKey, Keypair } = await import("@solana/web3.js");
         const anchor = await import("@coral-xyz/anchor");
-        const connection = new Connection(rpcUrl || "https://api.devnet.solana.com", "confirmed");
+        const connection = new Connection(process.env.ARCIUM_RPC_URL || "https://api.devnet.solana.com", "confirmed");
         const dummyKp    = Keypair.generate();
         const provider   = new anchor.AnchorProvider(
             connection,
@@ -131,10 +205,13 @@ try {
         const programId = programIdArg || MXE_PROGRAM_ID;
         let clusterOffset;
         try { clusterOffset = getArciumEnv().arciumClusterOffset; }
-        catch { clusterOffset = Number.parseInt(clusterOffsetStr || "456"); }
+        catch { clusterOffset = clusterOffsetStr; }
+        clusterOffset = parseU32(clusterOffset, "cluster offset");
 
         const { PublicKey } = await import("@solana/web3.js");
-        const computationOffset = new BN(computationOffsetStr || "0");
+        const computationOffset = new BN(
+            parseUnsigned(computationOffsetStr ?? "0", "computation offset", MAX_U64).toString()
+        );
         const progPubkey        = new PublicKey(programId);
         const compDefOffset     = Buffer.from(getCompDefAccOffset(COMP_DEF_NAME)).readUInt32LE();
         const [signPdaPubkey]   = PublicKey.findProgramAddressSync(
@@ -206,20 +283,22 @@ try {
 
         const programId  = progIdArg || MXE_PROGRAM_ID;
         const connection = new Connection(rpcUrl || "https://api.devnet.solana.com", "confirmed");
-        const payerKp    = Keypair.fromSecretKey(u8a(payerKeypairHex));
+        const payerKp    = Keypair.fromSecretKey(u8a(payerKeypairHex, "payer keypair", 64));
         const progPubkey = new PublicKey(programId);
         let clusterOffset;
         try { clusterOffset = getArciumEnv().arciumClusterOffset; }
-        catch { clusterOffset = Number.parseInt(clusterOffStr || "456"); }
+        catch { clusterOffset = clusterOffStr; }
+        clusterOffset = parseU32(clusterOffset, "cluster offset");
 
         // Encrypt amount with x25519 + RescueCipher (client-side, using MXE pubkey)
-        const mxePublicKey  = u8a(mxePubkeyHex);
+        const mxePublicKey  = u8a(mxePubkeyHex, "MXE public key", 32);
         const clientPrivKey = x25519.utils.randomSecretKey();
         const clientPubKey  = x25519.getPublicKey(clientPrivKey);
         const sharedSecret  = x25519.getSharedSecret(clientPrivKey, mxePublicKey);
         const rescueCipher  = new RescueCipher(sharedSecret);
         const encNonce      = randomBytes(16);
-        const ciphertexts   = rescueCipher.encrypt([BigInt(amount)], encNonce);
+        const amountBig     = parseUnsigned(amount, "amount", MAX_U64);
+        const ciphertexts   = rescueCipher.encrypt([amountBig], encNonce);
         const encryptedAmountBuf = Buffer.from(ciphertexts[0]);           // 32-byte field element
         const nonceBig      = deserializeLE(Buffer.from(encNonce));       // u128 as BigInt
 
@@ -251,7 +330,7 @@ try {
         const ix_data = Buffer.alloc(8 + 8 + 8 + 32 + 16 + 32);
         disc("execute_payment").copy(ix_data, 0);
         ix_data.writeBigUInt64LE(BigInt(compOffsetBN.toString()), 8);
-        ix_data.writeBigUInt64LE(BigInt(amount), 16);
+        ix_data.writeBigUInt64LE(amountBig, 16);
         encryptedAmountBuf.copy(ix_data, 24);                             // 32-byte ciphertext
         // nonce as u128 LE at offset 56 (two u64s)
         ix_data.writeBigUInt64LE(nonceBig & 0xFFFFFFFFFFFFFFFFn, 56);
@@ -313,7 +392,9 @@ try {
 
         const signers = [payerKp];
         if (broadcasterKeypairHex) {
-            const broadcasterKp = Keypair.fromSecretKey(u8a(broadcasterKeypairHex));
+            const broadcasterKp = Keypair.fromSecretKey(
+                u8a(broadcasterKeypairHex, "broadcaster keypair", 64)
+            );
             // Only add if different pubkey — beacon uses same keypair for payer + broadcaster
             if (broadcasterKp.publicKey.toBase58() !== payerKp.publicKey.toBase58()) {
                 signers.push(broadcasterKp);
diff --git a/reticulum_config b/reticulum_config
index fafb0df..a2f6b32 100644
--- a/reticulum_config
+++ b/reticulum_config
@@ -26,19 +26,6 @@
     target_host = dfw.us.g00n.cloud
     target_port = 6969
 
-  [[RNS Testnet BetweenTheBorders]]
-    type        = TCPClientInterface
-    enabled     = yes
-    target_host = reticulum.betweentheborders.com
-    target_port = 4242
-
-# Dublin DNS doesn't resolve — disabled for now
-#  [[RNS Testnet Dublin]]
-#    type        = TCPClientInterface
-#    enabled     = yes
-#    target_host = dublin.connect.reticulum.network
-#    target_port = 4965
-
 # ── RNode LoRa (Heltec V3 / SX1262) ─────────────────────────────────────────
 # Region: US 915 MHz
 # Serial: /dev/cu.usbserial-0001
diff --git a/rpc.py b/rpc.py
index dbaf5e2..29f03b6 100644
--- a/rpc.py
+++ b/rpc.py
@@ -6,23 +6,16 @@
 No local signing happens here — see wallet.py for that.
 """
 
-import os
 import json
 import concurrent.futures
 
 import state
 from shared import (
-    log_info, log_ok, log_warn, log_err,
+    MAX_RENDERED_LOG_LINES, MAX_RENDERED_TOKEN_ACCOUNTS, is_u64, log_info,
+    log_ok, log_warn, log_err, rpc_error_message, terminal_safe_text,
     BOLD, CYAN, GREEN, RED, RESET, DIM,
 )
 
-# ── Optional Arcium confidential-query support ─────────────────────────────────
-try:
-    from arcium_client import rescue_encrypt, rescue_decrypt, rescue_shared_secret
-    HAS_ARCIUM = True
-except ImportError:
-    HAS_ARCIUM = False
-
 _NO_BEACON_RESP = "No response from beacon"
 
 
@@ -39,7 +32,7 @@ def _extract_result(resp: dict):
     Solana RPC wraps some results in {"context":..., "value":...}.
     Others return the value directly. Handle both.
     """
-    if resp is None:
+    if not isinstance(resp, dict):
         return None
     r = resp.get("result")
     if isinstance(r, dict) and "value" in r:
@@ -47,6 +40,10 @@ def _extract_result(resp: dict):
     return r
 
 
+def _is_nonempty_string(value) -> bool:
+    return isinstance(value, str) and bool(value)
+
+
 # ═══════════════════════════════════════════════════════════════════════════════
 # Query functions
 # ═══════════════════════════════════════════════════════════════════════════════
@@ -56,82 +53,21 @@ def get_balance(address):
     if resp is None:
         return
     if "error" in resp:
-        log_err(f"RPC error: {resp['error'].get('message', resp['error'])}")
+        log_err(f"RPC error: {rpc_error_message(resp['error'])}")
+        return
+    lamports = _extract_result(resp)
+    if not is_u64(lamports):
+        log_warn(f"Unexpected getBalance response: {json.dumps(resp)}")
         return
-    lamports = resp.get("result", {})
-    if isinstance(lamports, dict):
-        lamports = lamports.get("value", 0)
     sol = lamports / 1_000_000_000
-    print(f"\n  {GREEN}{BOLD}{address}{RESET}")
+    print(f"\n  {GREEN}{BOLD}{terminal_safe_text(address)}{RESET}")
     print(f"  Balance: {BOLD}{sol:.9f} SOL{RESET}  ({lamports:,} lamports)\n")
 
 
-def confidential_get_balance(address: str) -> None:
-    """
-    Fetch SOL balance via Arcium MPC — the beacon never sees the address or balance.
-    Requires ARCIUM_MXE_PUBKEY_HEX in .env and arcium_client.py present.
-    Falls back to plain get_balance if Arcium is unavailable.
-    """
-    if not HAS_ARCIUM:
-        log_warn("arcium_client.py not found — falling back to plain balance")
-        get_balance(address)
-        return
-
-    mxe_pubkey_hex = os.getenv("ARCIUM_MXE_PUBKEY_HEX", "").strip()
-    if not mxe_pubkey_hex:
-        log_warn("ARCIUM_MXE_PUBKEY_HEX not set — falling back to plain balance")
-        get_balance(address)
-        return
-
-    try:
-        from solders.pubkey import Pubkey as _Pubkey
-        address_bytes = list(bytes(_Pubkey.from_string(address)))
-    except Exception as exc:
-        log_err(f"Invalid address: {exc}")
-        return
-
-    log_info("Encrypting address for Arcium MPC...")
-    try:
-        enc = rescue_encrypt(mxe_pubkey_hex, address_bytes)
-    except Exception as exc:
-        log_err(f"Encryption failed: {exc}")
-        return
-
-    resp = rpc_call("getBalance", [{
-        "enc_address":   enc["ciphertexts"][0],
-        "ephem_pub":     enc["pubkey_hex"],
-        "nonce":         int(enc["nonce_bn"]),
-        "comp_def_name": "payment_stats",
-    }])
-
-    if resp is None:
-        return
-    if resp.get("status") == "error":
-        log_err(f"Arcium error: {resp.get('message', '?')}")
-        return
-
-    r = resp.get("result", resp)
-    if r.get("status") == "error":
-        log_err(f"Arcium error: {r.get('message', '?')}")
-        return
-
-    try:
-        shared_secret = rescue_shared_secret(
-            enc.get("shared_secret_hex") or enc.get("privkey_hex", ""),
-            r.get("mxe_pubkey_hex", ""),
-        )
-        values   = rescue_decrypt(shared_secret, [r["enc_balance"]], r["nonce_hex"])
-        lamports = values[0]
-        sol      = lamports / 1_000_000_000
-        print()
-        print(f"  {GREEN}{BOLD}{address}{RESET}  {DIM}(confidential via Arcium MPC){RESET}")
-        print(f"  Balance: {BOLD}{sol:.9f} SOL{RESET}  ({lamports:,} lamports)")
-        print(f"  {DIM}Beacon never saw this address or balance{RESET}")
-        print()
-    except Exception as exc:
-        log_err(f"Decryption failed: {exc}")
-        log_warn("Falling back to plain balance check")
-        get_balance(address)
+def confidential_get_balance(_address: str) -> None:
+    """Fail closed until a real MPC balance-query handler exists."""
+    log_warn("Confidential balance is unavailable: no MPC query handler is implemented")
+    log_warn("Use the plain balance command explicitly only if address disclosure is acceptable")
 
 
 def get_slot():
@@ -141,7 +77,7 @@ def get_slot():
     if "error" in resp:
         log_err(f"RPC error: {resp['error']}"); return
     val = _extract_result(resp)
-    if val is not None:
+    if is_u64(val):
         print(f"\n  Current slot: {BOLD}{val:,}{RESET}\n")
     else:
         log_warn(f"Unexpected response: {json.dumps(resp)}")
@@ -154,7 +90,7 @@ def get_block_height():
     if "error" in resp:
         log_err(f"RPC error: {resp['error']}"); return
     val = _extract_result(resp)
-    if val is not None:
+    if is_u64(val):
         print(f"\n  Block height: {BOLD}{val:,}{RESET}\n")
     else:
         log_warn(f"Unexpected response: {json.dumps(resp)}")
@@ -167,7 +103,7 @@ def get_transaction_count():
     if "error" in resp:
         log_err(f"RPC error: {resp['error']}"); return
     val = _extract_result(resp)
-    if val is not None:
+    if is_u64(val):
         print(f"\n  Transaction count: {BOLD}{val:,}{RESET}\n")
     else:
         log_warn(f"Unexpected response: {json.dumps(resp)}")
@@ -183,8 +119,8 @@ def get_recent_blockhash() -> str | None:
     if isinstance(r, dict):
         val = r.get("value", r)
         bh  = val.get("blockhash") if isinstance(val, dict) else None
-        if bh:
-            print(f"\n  Latest blockhash: {BOLD}{bh}{RESET}\n")
+        if _is_nonempty_string(bh):
+            print(f"\n  Latest blockhash: {BOLD}{terminal_safe_text(bh)}{RESET}\n")
             return bh
     log_warn(f"Unexpected response: {json.dumps(resp)}")
     return None
@@ -194,9 +130,10 @@ def _print_sol_balance(sol_resp: dict | None) -> None:
     if not (sol_resp and "result" in sol_resp):
         log_warn("Could not fetch SOL balance")
         return
-    lamports = sol_resp["result"]
-    if isinstance(lamports, dict):
-        lamports = lamports.get("value", 0)
+    lamports = _extract_result(sol_resp)
+    if not is_u64(lamports):
+        log_warn(f"Unexpected getBalance response: {json.dumps(sol_resp)}")
+        return
     sol = lamports / 1_000_000_000
     print(f"  {BOLD}SOL Balance:{RESET}  {BOLD}{sol:.9f} SOL{RESET}  {DIM}({lamports:,} lamports){RESET}")
 
@@ -205,21 +142,34 @@ def _print_spl_tokens(token_resp: dict | None) -> None:
     if not (token_resp and "result" in token_resp):
         log_warn("Could not fetch SPL token accounts")
         return
-    accounts = token_resp["result"]["value"]
+    accounts = _extract_result(token_resp)
+    if not isinstance(accounts, list):
+        log_warn(f"Unexpected getTokenAccountsByOwner response: {json.dumps(token_resp)}")
+        return
     if not accounts:
         print(f"  {DIM}No SPL token accounts{RESET}")
         return
     print(f"  {BOLD}SPL Tokens ({len(accounts)}){RESET}")
-    for acc in accounts:
+    for acc in accounts[:MAX_RENDERED_TOKEN_ACCOUNTS]:
         try:
             info     = acc["account"]["data"]["parsed"]["info"]
-            mint     = info.get("mint", "?")
-            decimals = info.get("tokenAmount", {}).get("decimals", 0)
-            amount   = info.get("tokenAmount", {}).get("uiAmountString", "?")
+            token_amount = info["tokenAmount"]
+            mint     = info["mint"]
+            decimals = token_amount["decimals"]
+            amount   = token_amount["uiAmountString"]
+            if (
+                not isinstance(mint, str)
+                or isinstance(decimals, bool) or not isinstance(decimals, int)
+                or not 0 <= decimals <= 255
+                or not isinstance(amount, str)
+            ):
+                raise TypeError("unexpected token account field type")
             symbol   = f"  {DIM}({decimals} decimals){RESET}" if decimals else ""
-            print(f"  {DIM}·{RESET} {mint}  {BOLD}{amount}{RESET}{symbol}")
+            print(f"  {DIM}·{RESET} {terminal_safe_text(mint)}  {BOLD}{terminal_safe_text(amount)}{RESET}{symbol}")
         except (KeyError, TypeError):
             print(f"  {DIM}· (could not parse account){RESET}")
+    if len(accounts) > MAX_RENDERED_TOKEN_ACCOUNTS:
+        print(f"  {DIM}· ... {len(accounts) - MAX_RENDERED_TOKEN_ACCOUNTS} more accounts omitted{RESET}")
 
 
 def get_token_accounts(owner):
@@ -230,10 +180,14 @@ def get_token_accounts(owner):
             {"programId": "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA"},
             {"encoding": "jsonParsed"},
         ])
-        sol_resp   = fut_sol.result()
-        token_resp = fut_tokens.result()
+        try:
+            sol_resp   = fut_sol.result()
+            token_resp = fut_tokens.result()
+        except Exception as exc:
+            log_err(f"Wallet detail query failed: {exc}")
+            return
 
-    print(f"\n  {GREEN}{BOLD}{owner}{RESET}")
+    print(f"\n  {GREEN}{BOLD}{terminal_safe_text(owner)}{RESET}")
     _print_sol_balance(sol_resp)
     _print_spl_tokens(token_resp)
     print()
@@ -249,9 +203,13 @@ def get_beacon_pubkey() -> str | None:
     if resp is None:
         return None
     if "error" in resp:
-        log_err(f"getBeaconPubkey: {resp['error'].get('message', resp['error'])}")
+        log_err(f"getBeaconPubkey: {rpc_error_message(resp['error'])}")
         return None
-    return _extract_result(resp)
+    pubkey = _extract_result(resp)
+    if not _is_nonempty_string(pubkey):
+        log_warn(f"Unexpected getBeaconPubkey response: {json.dumps(resp)}")
+        return None
+    return pubkey
 
 
 def cosign_and_send(partial_tx_b64: str, arcium_meta: dict | None = None) -> str | None:
@@ -268,12 +226,14 @@ def cosign_and_send(partial_tx_b64: str, arcium_meta: dict | None = None) -> str
     if resp is None:
         return None
     if "error" in resp:
-        log_err(f"Co-sign rejected: {resp['error'].get('message', resp['error'])}")
+        log_err(f"Co-sign rejected: {rpc_error_message(resp['error'])}")
         return None
     sig = _extract_result(resp)
-    if sig:
-        log_ok("Co-signed transaction relayed via beacon!")
-        print(f"\n  Signature: {BOLD}{GREEN}{sig}{RESET}\n")
+    if not _is_nonempty_string(sig):
+        log_warn(f"Unexpected cosignTransaction response: {json.dumps(resp)}")
+        return None
+    log_ok("Co-signed transaction relayed via beacon!")
+    print(f"\n  Signature: {BOLD}{GREEN}{terminal_safe_text(sig)}{RESET}\n")
     return sig
 
 
@@ -286,23 +246,40 @@ def send_transaction(signed_tx_b64):
     if resp is None:
         return
     if "error" in resp:
-        log_err(f"Transaction rejected: {resp['error'].get('message', resp['error'])}")
+        log_err(f"Transaction rejected: {rpc_error_message(resp['error'])}")
+        return
+    signature = resp.get("result")
+    if not _is_nonempty_string(signature):
+        log_warn(f"Unexpected sendTransaction response: {json.dumps(resp)}")
         return
     log_ok("Transaction relayed via mesh!")
-    print(f"\n  Signature: {BOLD}{GREEN}{resp.get('result', '?')}{RESET}\n")
+    print(f"\n  Signature: {BOLD}{GREEN}{terminal_safe_text(signature)}{RESET}\n")
 
 
 def simulate_transaction(signed_tx_b64):
     resp = rpc_call("simulateTransaction", [signed_tx_b64, {"encoding": "base64"}])
-    if resp and "result" in resp:
-        sim = resp["result"]["value"]
-        if sim.get("err"):
-            log_warn(f"Simulation error: {sim['err']}")
-        else:
-            log_ok("Simulation successful")
-        for line in sim.get("logs", []):
-            print(f"  {DIM}{line}{RESET}")
-        print()
+    if resp is None:
+        return
+    if "error" in resp:
+        log_err(f"Simulation rejected: {rpc_error_message(resp['error'])}")
+        return
+    sim = _extract_result(resp)
+    if not isinstance(sim, dict):
+        log_warn(f"Unexpected simulateTransaction response: {json.dumps(resp)}")
+        return
+    if sim.get("err"):
+        log_warn(f"Simulation error: {sim['err']}")
+    else:
+        log_ok("Simulation successful")
+    logs = sim.get("logs") or []
+    if not isinstance(logs, list) or any(not isinstance(line, str) for line in logs):
+        log_warn(f"Unexpected simulateTransaction logs: {json.dumps(logs)}")
+        return
+    for line in logs[:MAX_RENDERED_LOG_LINES]:
+        print(f"  {DIM}{terminal_safe_text(line)}{RESET}")
+    if len(logs) > MAX_RENDERED_LOG_LINES:
+        log_warn(f"{len(logs) - MAX_RENDERED_LOG_LINES} simulation log lines omitted")
+    print()
 
 
 # ═══════════════════════════════════════════════════════════════════════════════
@@ -330,18 +307,24 @@ def get_nonce_account(nonce_pubkey_str: str) -> dict | None:
 
     try:
         parsed    = account["data"]["parsed"]
+        if not isinstance(parsed, dict):
+            raise TypeError("parsed nonce data must be an object")
         if parsed.get("type") != "initialized":
             log_err(f"Nonce account is not initialized (type={parsed.get('type')!r})")
             return None
         info      = parsed["info"]
+        if not isinstance(info, dict):
+            raise TypeError("nonce info must be an object")
         nonce_val = info["blockhash"]
         authority = info["authority"]
+        if not _is_nonempty_string(nonce_val) or not _is_nonempty_string(authority):
+            raise TypeError("nonce blockhash and authority must be strings")
     except (KeyError, TypeError) as exc:
         log_err(f"Could not parse nonce account data: {exc}")
         log_warn('Confirm this is a nonce account: raw getAccountInfo ["<pubkey>",{"encoding":"jsonParsed"}]')
         return None
 
-    print(f"\n  {GREEN}{BOLD}{nonce_pubkey_str}{RESET}  {DIM}(durable nonce account){RESET}")
-    print(f"  Nonce value (use as blockhash): {BOLD}{nonce_val}{RESET}")
-    print(f"  Authority:                      {authority}\n")
+    print(f"\n  {GREEN}{BOLD}{terminal_safe_text(nonce_pubkey_str)}{RESET}  {DIM}(durable nonce account){RESET}")
+    print(f"  Nonce value (use as blockhash): {BOLD}{terminal_safe_text(nonce_val)}{RESET}")
+    print(f"  Authority:                      {terminal_safe_text(authority)}\n")
     return {"nonce": nonce_val, "authority": authority}
diff --git a/scripts/check_arcium_accounts.mjs b/scripts/check_arcium_accounts.mjs
index af6486e..0660f22 100644
--- a/scripts/check_arcium_accounts.mjs
+++ b/scripts/check_arcium_accounts.mjs
@@ -5,22 +5,30 @@
  */
 
 import { Connection, PublicKey } from "@solana/web3.js";
-import { execSync } from "node:child_process";
-import { readFileSync } from "node:fs";
+import { execFileSync } from "node:child_process";
 import { fileURLToPath } from "node:url";
 import { dirname, join } from "node:path";
+import { readPrivateTextFileSync } from "./private_file.mjs";
 
 const __dir = dirname(fileURLToPath(import.meta.url));
+const envPath = join(__dir, "..", ".env");
+const ENV_NAME = /^[A-Za-z_][A-Za-z0-9_]*$/;
 
 try {
-    const envLines = readFileSync(join(__dir, "..", ".env"), "utf8").split("\n");
+    const envLines = readPrivateTextFileSync(envPath).split("\n");
     for (const line of envLines) {
         const t = line.trim();
         if (!t || t.startsWith("#") || !t.includes("=")) continue;
         const [k, ...rest] = t.split("=");
-        if (!process.env[k.trim()]) process.env[k.trim()] = rest.join("=").trim();
+        const name = k.trim();
+        const value = rest.join("=").trim();
+        if (ENV_NAME.test(name) && !value.includes("\0") && !process.env[name]) {
+            process.env[name] = value;
+        }
     }
-} catch { /* no .env */ }
+} catch (err) {
+    if (err?.code !== "ENOENT") throw err;
+}
 
 const PROGRAM_ID  = "7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks";
 // Derived: find_program_address([b"ArciumSignerAccount"], MXE_PROGRAM)
@@ -32,14 +40,26 @@ const SIGN_PDA = signPdaPubkey.toBase58();
 const RPC_URL     = process.env.ARCIUM_RPC_URL || "https://api.devnet.solana.com";
 const MINT        = process.argv[2] || "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU";
 
+function redactUrl(raw) {
+    try {
+        const url = new URL(raw);
+        const sensitive = url.username || url.password || url.pathname !== "/"
+            || url.search || url.hash;
+        return `${url.protocol}//${url.host}${sensitive ? "/..." : ""}`;
+    } catch {
+        return "<redacted-rpc-url>";
+    }
+}
+
 const connection  = new Connection(RPC_URL, "confirmed");
 const progPubkey  = new PublicKey(PROGRAM_ID);
 const mintPubkey  = new PublicKey(MINT);
 
 // Get Arcium account addresses from shim
 const shimOut = JSON.parse(
-    execSync(`node ${join(__dir, "..", "rescue_shim.mjs")} arcium_accounts ${PROGRAM_ID}`,
-             { encoding: "utf8" })
+    execFileSync(process.execPath, [join(__dir, "..", "rescue_shim.mjs"),
+                                   "arcium_accounts", PROGRAM_ID],
+                 { encoding: "utf8" })
 );
 
 // Derive whitelist PDA
@@ -61,12 +81,19 @@ const checks = {
 };
 
 console.log(`\nProgram : ${PROGRAM_ID}`);
-console.log(`RPC     : ${RPC_URL}`);
+console.log(`RPC     : ${redactUrl(RPC_URL)}`);
 console.log(`Mint    : ${MINT}\n`);
 
 let allGood = true;
 for (const [label, address] of Object.entries(checks)) {
-    const info = await connection.getAccountInfo(new PublicKey(address));
+    let info;
+    try {
+        info = await connection.getAccountInfo(new PublicKey(address));
+    } catch {
+        console.error(`✘ ${label.padEnd(32)} RPC request failed`);
+        allGood = false;
+        continue;
+    }
     const ok   = info !== null;
     const size = ok ? `${info.data.length}B` : "NOT FOUND";
     console.log(`${ok ? "✔" : "✘"} ${label.padEnd(32)} ${address.slice(0,20)}…  ${size}`);
@@ -76,3 +103,4 @@ for (const [label, address] of Object.entries(checks)) {
 console.log(allGood
     ? "\n✔ All accounts present — ready to execute_payment"
     : "\n✘ Missing accounts above must be initialized first");
+if (!allGood) process.exitCode = 1;
diff --git a/scripts/demo_durable_nonce_relay.py b/scripts/demo_durable_nonce_relay.py
index 6f2679f..7650c0a 100644
--- a/scripts/demo_durable_nonce_relay.py
+++ b/scripts/demo_durable_nonce_relay.py
@@ -27,7 +27,6 @@
 import sys
 import os
 import time
-import json
 import base64
 import argparse
 import tempfile
@@ -63,9 +62,11 @@
     APP_NAME, APP_ASPECT, RPC_PATH, ANNOUNCE_DATA,
     build_rpc, decode_json, decompress_response, compress_response,
     banner, log_info, log_ok, log_warn, log_err, log_tx,
+    positive_int, rpc_error_message, terminal_safe_text,
     BOLD, CYAN, GREEN, YELLOW, RED, DIM, RESET,
 )
 from mesh import BeaconPool, BeaconAnnounceHandler, start_reticulum
+from wallet import _load_private_keypair, _save_private_keypair
 
 # ── Constants ─────────────────────────────────────────────────────────────────
 NONCE_ACCOUNT_LENGTH = 80
@@ -73,6 +74,7 @@
 TRANSFER_LAMPORTS    = 100_000         # 0.0001 SOL default
 CONFIRM_TIMEOUT      = 60             # seconds to wait for tx confirmation
 CONFIRM_POLL         = 2              # seconds between confirmation polls
+_MAX_U64             = (1 << 64) - 1
 
 
 # ═════════════════════════════════════════════════════════════════════════════
@@ -117,12 +119,15 @@ def mesh_rpc(method: str, params=None) -> dict | None:
     resp = state.pool.call(method, params)
     if resp is None:
         log_err(f"No response from beacon for {method}")
+    elif not isinstance(resp, dict):
+        log_err(f"Unexpected {method} response: expected an object")
+        return None
     return resp
 
 
-def extract_result(resp: dict):
+def extract_result(resp: dict | None):
     """Unwrap Solana's {context, value} wrapper if present."""
-    if resp is None:
+    if not isinstance(resp, dict):
         return None
     r = resp.get("result")
     if isinstance(r, dict) and "value" in r:
@@ -130,6 +135,29 @@ def extract_result(resp: dict):
     return r
 
 
+def _is_nonempty_string(value) -> bool:
+    return isinstance(value, str) and bool(value)
+
+
+def _is_u64(value) -> bool:
+    return not isinstance(value, bool) and isinstance(value, int) and 0 <= value <= _MAX_U64
+
+
+def _positive_u64(raw_value: str) -> int:
+    value = positive_int(raw_value)
+    if value > _MAX_U64:
+        raise ValueError(f"expected an integer no greater than {_MAX_U64}")
+    return value
+
+
+def _extract_balance(resp: dict | None) -> int:
+    balance = extract_result(resp)
+    if not _is_u64(balance):
+        log_warn(f"Unexpected getBalance response: {resp}")
+        return 0
+    return balance
+
+
 # ═════════════════════════════════════════════════════════════════════════════
 # Demo steps
 # ═════════════════════════════════════════════════════════════════════════════
@@ -138,14 +166,25 @@ def step_generate_keypair(tmpdir: str) -> tuple[Keypair, str]:
     """Generate an ephemeral keypair for the demo."""
     kp = Keypair()
     path = os.path.join(tmpdir, "demo_wallet.json")
-    with open(path, "w") as f:
-        json.dump(list(bytes(kp)), f)
+    _save_private_keypair(path, kp)
     log_ok(f"Ephemeral keypair: {kp.pubkey()}")
     return kp, path
 
 
+def step_load_keypair(path: str) -> Keypair | None:
+    """Load a supplied demo payer keypair with a controlled error path."""
+    try:
+        return _load_private_keypair(path)
+    except Exception as exc:
+        log_err(f"Could not load keypair: {exc}")
+        return None
+
+
 def step_airdrop(address: str, lamports: int, timer: Timer) -> str | None:
     """Request devnet airdrop and wait for confirmation."""
+    if not _is_u64(lamports) or lamports == 0:
+        log_err("Airdrop lamports must be a positive u64 integer")
+        return None
     log_info(f"Requesting airdrop of {lamports / 1e9:.1f} SOL to {address}...")
     t0 = time.monotonic()
 
@@ -153,12 +192,12 @@ def step_airdrop(address: str, lamports: int, timer: Timer) -> str | None:
     if resp is None:
         return None
     if "error" in resp:
-        log_err(f"Airdrop failed: {resp['error']}")
+        log_err(f"Airdrop failed: {rpc_error_message(resp['error'])}")
         return None
 
     sig = extract_result(resp)
-    if not sig:
-        log_err(f"Airdrop returned no signature: {resp}")
+    if not _is_nonempty_string(sig):
+        log_err(f"Airdrop returned an invalid signature: {resp}")
         return None
 
     log_ok(f"Airdrop requested: {sig}")
@@ -180,8 +219,7 @@ def step_create_nonce(payer: Keypair, tmpdir: str, timer: Timer) -> tuple[Keypai
 
     nonce_kp = Keypair()
     nonce_path = os.path.join(tmpdir, "demo_nonce.json")
-    with open(nonce_path, "w") as f:
-        json.dump(list(bytes(nonce_kp)), f)
+    _save_private_keypair(nonce_path, nonce_kp)
 
     payer_pubkey = payer.pubkey()
     nonce_pubkey = nonce_kp.pubkey()
@@ -192,6 +230,9 @@ def step_create_nonce(payer: Keypair, tmpdir: str, timer: Timer) -> tuple[Keypai
         log_err(f"Failed to get rent exemption: {resp}")
         return None, None
     rent_lamports = extract_result(resp)
+    if not _is_u64(rent_lamports):
+        log_err(f"Unexpected rent exemption response: {resp}")
+        return None, None
     log_info(f"Rent-exempt: {rent_lamports:,} lamports")
 
     # Get recent blockhash for the create tx
@@ -204,8 +245,8 @@ def step_create_nonce(payer: Keypair, tmpdir: str, timer: Timer) -> tuple[Keypai
         blockhash = bh_val.get("blockhash")
     else:
         blockhash = bh_val
-    if not blockhash:
-        log_err(f"No blockhash in response: {resp}")
+    if not _is_nonempty_string(blockhash):
+        log_err(f"Invalid blockhash in response: {resp}")
         return None, None
 
     # Build create + init nonce tx
@@ -221,7 +262,11 @@ def step_create_nonce(payer: Keypair, tmpdir: str, timer: Timer) -> tuple[Keypai
         authority=payer_pubkey,
     ))
 
-    bh = Hash.from_string(blockhash)
+    try:
+        bh = Hash.from_string(blockhash)
+    except ValueError as exc:
+        log_err(f"Invalid blockhash: {exc}")
+        return None, None
     msg = Message.new_with_blockhash([create_ix, init_ix], payer_pubkey, bh)
     tx = Transaction.new_unsigned(msg)
     tx.sign([payer, nonce_kp], bh)
@@ -231,11 +276,14 @@ def step_create_nonce(payer: Keypair, tmpdir: str, timer: Timer) -> tuple[Keypai
 
     resp = mesh_rpc("sendTransaction", [tx_b64, {"encoding": "base64", "preflightCommitment": "confirmed"}])
     if resp is None or "error" in resp:
-        err = resp.get("error", "no response") if resp else "no response"
+        err = rpc_error_message(resp.get("error")) if resp else "no response"
         log_err(f"Nonce create tx rejected: {err}")
         return None, None
 
-    sig = resp.get("result", "?")
+    sig = resp.get("result")
+    if not _is_nonempty_string(sig):
+        log_err(f"Nonce create tx returned an invalid signature: {resp}")
+        return None, None
     log_ok(f"Nonce create tx sent: {sig}")
 
     confirmed = wait_for_confirmation(sig, "nonce create")
@@ -268,13 +316,25 @@ def step_fetch_nonce(nonce_pubkey_str: str, timer: Timer) -> str | None:
 
     try:
         parsed = account["data"]["parsed"]
+        if not isinstance(parsed, dict):
+            raise TypeError("parsed nonce data must be an object")
         if parsed.get("type") != "initialized":
             log_err(f"Nonce not initialized: type={parsed.get('type')}")
             return None
-        nonce_value = parsed["info"]["blockhash"]
+        info = parsed["info"]
+        if not isinstance(info, dict):
+            raise TypeError("nonce info must be an object")
+        nonce_value = info["blockhash"]
+        if not _is_nonempty_string(nonce_value):
+            raise TypeError("nonce blockhash must be a non-empty string")
     except (KeyError, TypeError) as exc:
         log_err(f"Could not parse nonce account: {exc}")
         return None
+    try:
+        Hash.from_string(nonce_value)
+    except ValueError as exc:
+        log_err(f"Invalid nonce blockhash: {exc}")
+        return None
 
     ms = timer.mark("Fetch nonce value", t0)
     log_ok(f"Nonce value: {nonce_value[:16]}...  ({ms:.0f}ms)")
@@ -290,13 +350,23 @@ def step_sign_nonce_transfer(
     timer: Timer,
 ) -> str | None:
     """Build and sign an offline SOL transfer using the durable nonce."""
+    if not _is_u64(lamports) or lamports == 0:
+        log_err("Transfer lamports must be a positive u64 integer")
+        return None
+    if not all(_is_nonempty_string(value) for value in (to_address, nonce_pubkey_str, nonce_value)):
+        log_err("Transfer addresses and nonce value must be non-empty strings")
+        return None
     log_info(f"Signing offline transfer: {lamports:,} lamports → {to_address[:16]}...")
     t0 = time.monotonic()
 
-    payer_pubkey = payer.pubkey()
-    nonce_pubkey = Pubkey.from_string(nonce_pubkey_str)
-    to_pubkey = Pubkey.from_string(to_address)
-    nonce_hash = Hash.from_string(nonce_value)
+    try:
+        payer_pubkey = payer.pubkey()
+        nonce_pubkey = Pubkey.from_string(nonce_pubkey_str)
+        to_pubkey = Pubkey.from_string(to_address)
+        nonce_hash = Hash.from_string(nonce_value)
+    except ValueError as exc:
+        log_err(f"Invalid transfer argument: {exc}")
+        return None
 
     advance_ix = advance_nonce_account(AdvanceNonceAccountParams(
         nonce_pubkey=nonce_pubkey,
@@ -315,7 +385,7 @@ def step_sign_nonce_transfer(
     tx_b64 = base64.b64encode(bytes(tx)).decode("utf-8")
     ms = timer.mark("Sign offline tx (durable nonce)", t0)
     log_ok(f"Signed offline: {len(tx_b64)} chars  ({ms:.0f}ms)")
-    log_info(f"{DIM}This tx never expires — relay it whenever ready{RESET}")
+    log_info("This tx never expires — relay it whenever ready")
     return tx_b64
 
 
@@ -328,13 +398,13 @@ def step_relay_tx(tx_b64: str, timer: Timer) -> str | None:
     if resp is None:
         return None
     if "error" in resp:
-        err = resp["error"]
-        if isinstance(err, dict):
-            err = err.get("message", err)
-        log_err(f"Transaction rejected: {err}")
+        log_err(f"Transaction rejected: {rpc_error_message(resp['error'])}")
         return None
 
-    sig = resp.get("result", "?")
+    sig = resp.get("result")
+    if not _is_nonempty_string(sig):
+        log_err(f"Transaction returned an invalid signature: {resp}")
+        return None
     ms = timer.mark("Relay tx via mesh", t0)
     log_ok(f"Relayed in {ms:.0f}ms: {sig}")
     return sig
@@ -360,22 +430,35 @@ def step_confirm_tx(sig: str, timer: Timer) -> bool:
 
 def wait_for_confirmation(sig: str, label: str, timeout: float = CONFIRM_TIMEOUT) -> bool:
     """Poll getSignatureStatuses until confirmed or timeout."""
+    if not _is_nonempty_string(sig):
+        log_err(f"Cannot confirm {label}: invalid signature")
+        return False
     deadline = time.time() + timeout
     while time.time() < deadline:
         time.sleep(CONFIRM_POLL)
         resp = mesh_rpc("getSignatureStatuses", [[sig]])
         if resp is None:
             continue
+        if "error" in resp:
+            log_warn(f"Could not fetch {label} status: {rpc_error_message(resp['error'])}")
+            continue
         statuses = extract_result(resp)
-        if statuses and isinstance(statuses, list) and statuses[0]:
-            status = statuses[0]
-            conf = status.get("confirmationStatus", "")
-            if conf in ("confirmed", "finalized"):
-                return True
-            err = status.get("err")
-            if err is not None:
-                log_err(f"{label} tx failed on-chain: {err}")
-                return False
+        if not isinstance(statuses, list):
+            log_warn(f"Unexpected getSignatureStatuses response: {resp}")
+            continue
+        if not statuses or statuses[0] is None:
+            continue
+        status = statuses[0]
+        if not isinstance(status, dict):
+            log_warn(f"Unexpected getSignatureStatuses entry: {status}")
+            continue
+        conf = status.get("confirmationStatus", "")
+        if conf in ("confirmed", "finalized"):
+            return True
+        err = status.get("err")
+        if err is not None:
+            log_err(f"{label} tx failed on-chain: {err}")
+            return False
     return False
 
 
@@ -429,13 +512,13 @@ def main():
                         help="Auto-discover beacons via mesh announces")
     parser.add_argument("--config", "-c", default=None,
                         help="Reticulum config dir")
-    parser.add_argument("--timeout", "-t", default=30, type=int,
+    parser.add_argument("--timeout", "-t", default=30, type=positive_int,
                         help="RPC request timeout in seconds")
     parser.add_argument("--recipient", "-r", default=None, metavar="ADDRESS",
                         help="SOL recipient address (default: send to self)")
-    parser.add_argument("--lamports", "-l", default=TRANSFER_LAMPORTS, type=int,
+    parser.add_argument("--lamports", "-l", default=TRANSFER_LAMPORTS, type=_positive_u64,
                         help=f"Lamports to transfer (default: {TRANSFER_LAMPORTS:,})")
-    parser.add_argument("--airdrop", default=AIRDROP_LAMPORTS, type=int,
+    parser.add_argument("--airdrop", default=AIRDROP_LAMPORTS, type=_positive_u64,
                         help=f"Airdrop amount in lamports (default: {AIRDROP_LAMPORTS:,})")
     parser.add_argument("--keypair", "-k", default=None, metavar="PATH",
                         help="Path to pre-funded keypair JSON (skip airdrop)")
@@ -464,9 +547,9 @@ def main():
         print(f"\n  {BOLD}{CYAN}━━━ Step 1: Generate Keypair ━━━{RESET}")
         t0 = time.monotonic()
         if args.keypair:
-            with open(args.keypair, "r") as f:
-                kp_bytes = bytes(json.load(f))
-            payer = Keypair.from_bytes(kp_bytes)
+            payer = step_load_keypair(args.keypair)
+            if payer is None:
+                sys.exit(1)
             wallet_path = args.keypair
             log_ok(f"Loaded keypair: {payer.pubkey()}")
         else:
@@ -484,8 +567,8 @@ def main():
         bal = 0
         resp = mesh_rpc("getBalance", [payer_addr, {"commitment": "confirmed"}])
         if resp and "result" in resp:
-            bal = extract_result(resp)
-            if isinstance(bal, int) and bal > 0:
+            bal = _extract_balance(resp)
+            if bal > 0:
                 log_ok(f"Existing balance: {bal / 1e9:.9f} SOL — skipping airdrop")
 
         if not bal:
@@ -497,8 +580,8 @@ def main():
             for attempt in range(15):
                 resp = mesh_rpc("getBalance", [payer_addr, {"commitment": "confirmed"}])
                 if resp and "result" in resp:
-                    bal = extract_result(resp)
-                    if isinstance(bal, int) and bal > 0:
+                    bal = _extract_balance(resp)
+                    if bal > 0:
                         log_ok(f"Balance: {bal / 1e9:.9f} SOL")
                         break
                 if attempt < 14:
@@ -557,8 +640,9 @@ def main():
         print(f"  Recipient: {BOLD}{recipient}{RESET}")
         print(f"  Nonce:     {BOLD}{nonce_pubkey_str}{RESET}")
         print(f"  Amount:    {BOLD}{args.lamports:,} lamports{RESET}")
-        print(f"  Signature: {BOLD}{GREEN}{relay_sig}{RESET}")
-        print(f"  Explorer:  {DIM}https://explorer.solana.com/tx/{relay_sig}?cluster=devnet{RESET}")
+        safe_sig = terminal_safe_text(relay_sig)
+        print(f"  Signature: {BOLD}{GREEN}{safe_sig}{RESET}")
+        print(f"  Explorer:  {DIM}https://explorer.solana.com/tx/{safe_sig}?cluster=devnet{RESET}")
         print()
 
     state.pool.teardown_all()
diff --git a/scripts/exit_node.py b/scripts/exit_node.py
index 84a281a..39a59de 100644
--- a/scripts/exit_node.py
+++ b/scripts/exit_node.py
@@ -13,9 +13,8 @@
 Usage:
   python scripts/exit_node.py                        # devnet, default config
   python scripts/exit_node.py --network mainnet      # mainnet-beta
-  python scripts/exit_node.py --rpc https://my.node  # custom RPC
+  ANONMESH_RPC_URL=https://my.node python scripts/exit_node.py  # custom RPC
   python scripts/exit_node.py --config /path/to/conf # custom Reticulum config dir
-  python scripts/exit_node.py --port 4343            # TCP listener for relay nodes
 """
 from __future__ import annotations
 
@@ -39,8 +38,10 @@
 
 from shared import (
     APP_NAME, APP_ASPECT, RPC_PATH, ANNOUNCE_DATA,
-    SOLANA_ENDPOINTS, RNS_REQUEST_TIMEOUT,
-    decode_json, build_response, compress_response,
+    SOLANA_ENDPOINTS, RNS_REQUEST_TIMEOUT, MAX_MESH_REQUEST_BYTES, MAX_MESH_RESPONSE_BYTES,
+    ResponseSizeLimitError, decode_json, decode_rpc_response, build_response, compress_response,
+    read_limited_http_body, redact_url, rpc_error_message,
+    positive_int, read_private_file, restrict_private_file_permissions, save_private_identity,
     banner, log_info, log_ok, log_warn, log_err, log_tx,
     BOLD, CYAN, GREEN, RESET, DIM,
 )
@@ -91,6 +92,9 @@ def forward_rpc(raw_request: bytes) -> tuple[bytes, str, float]:
     except Exception as exc:
         return build_response(error=f"Invalid JSON: {exc}"), "?", 0.0
 
+    if not isinstance(req, dict):
+        return build_response(error="Invalid JSON-RPC payload: expected object"), "?", 0.0
+
     method = req.get("method", "?")
     req_id = req.get("id", 1)
 
@@ -107,21 +111,37 @@ def forward_rpc(raw_request: bytes) -> tuple[bytes, str, float]:
             json=req,
             timeout=20,
             headers={"Content-Type": "application/json"},
+            stream=True,
         )
-        http_resp.raise_for_status()
-        result_bytes = http_resp.content
+        try:
+            http_resp.raise_for_status()
+            try:
+                result_bytes = read_limited_http_body(http_resp, MAX_MESH_RESPONSE_BYTES)
+            except ResponseSizeLimitError:
+                log_err(f"[#{count}] ← {method}  response exceeds mesh size limit")
+                return (
+                    build_response(error="Solana RPC response exceeds mesh size limit", req_id=req_id),
+                    method,
+                    (time.monotonic() - t0) * 1000,
+                )
+        finally:
+            http_resp.close()
         rtt_ms = (time.monotonic() - t0) * 1000
 
-        # Log result summary
         try:
-            parsed = http_resp.json()
-            if "result" in parsed:
-                log_ok(f"[#{count}] ← {method}  {len(result_bytes)}B  {rtt_ms:.0f}ms")
-            elif "error" in parsed:
-                err_msg = parsed["error"].get("message", "?")
-                log_warn(f"[#{count}] ← {method}  error: {err_msg}  {rtt_ms:.0f}ms")
-        except Exception:
+            parsed = decode_rpc_response(result_bytes)
+        except (UnicodeDecodeError, json.JSONDecodeError, ValueError):
+            log_err(f"[#{count}] ← {method}  invalid JSON-RPC response  {rtt_ms:.0f}ms")
+            return (
+                build_response(error="Solana RPC returned invalid JSON-RPC response", req_id=req_id),
+                method,
+                rtt_ms,
+            )
+        if "result" in parsed:
             log_ok(f"[#{count}] ← {method}  {len(result_bytes)}B  {rtt_ms:.0f}ms")
+        else:
+            err_msg = rpc_error_message(parsed["error"])
+            log_warn(f"[#{count}] ← {method}  error: {err_msg}  {rtt_ms:.0f}ms")
 
         return result_bytes, method, rtt_ms
 
@@ -131,12 +151,22 @@ def forward_rpc(raw_request: bytes) -> tuple[bytes, str, float]:
         return build_response(error="Solana RPC timeout", req_id=req_id), method, rtt_ms
     except requests.exceptions.ConnectionError as exc:
         rtt_ms = (time.monotonic() - t0) * 1000
-        log_err(f"[#{count}] ← {method}  connection error: {exc}")
-        return build_response(error=f"Connection error: {exc}", req_id=req_id), method, rtt_ms
+        log_err(
+            f"[#{count}] ← {method}  connection error: {type(exc).__name__} "
+            f"contacting {redact_url(rpc_endpoint)}"
+        )
+        return build_response(error="Solana RPC connection error", req_id=req_id), method, rtt_ms
+    except requests.exceptions.RequestException as exc:
+        rtt_ms = (time.monotonic() - t0) * 1000
+        log_err(
+            f"[#{count}] ← {method}  request error: {type(exc).__name__} "
+            f"contacting {redact_url(rpc_endpoint)}"
+        )
+        return build_response(error="Solana RPC request failed", req_id=req_id), method, rtt_ms
     except Exception as exc:
         rtt_ms = (time.monotonic() - t0) * 1000
-        log_err(f"[#{count}] ← {method}  error: {exc}")
-        return build_response(error=str(exc), req_id=req_id), method, rtt_ms
+        log_err(f"[#{count}] ← {method}  forwarding error: {type(exc).__name__}")
+        return build_response(error="Solana RPC forwarding failed", req_id=req_id), method, rtt_ms
 
 
 # ═════════════════════════════════════════════════════════════════════════════
@@ -156,6 +186,8 @@ def rpc_request_handler(path, data, request_id, link_id, remote_identity, reques
     )
     data_bytes = bytes(data)
     log_info(f"Request from {remote}  size={len(data_bytes)}B")
+    if len(data_bytes) > MAX_MESH_REQUEST_BYTES:
+        return build_response(error="Mesh request exceeds size limit")
 
     raw_response, method, rtt_ms = forward_rpc(data_bytes)
     compressed = compress_response(raw_response)
@@ -233,15 +265,19 @@ def setup_exit_node(config_path: str | None, network: str, custom_rpc: str | Non
     global exit_identity, exit_destination, rpc_endpoint, start_time
 
     # ── RPC endpoint ──────────────────────────────────────────────────────────
+    custom_rpc = custom_rpc or os.getenv("ANONMESH_RPC_URL")
     if custom_rpc:
         rpc_endpoint = custom_rpc
-    elif network in SOLANA_ENDPOINTS:
+    elif SOLANA_ENDPOINTS.get(network):
         rpc_endpoint = SOLANA_ENDPOINTS[network]
+    elif network == "custom":
+        log_err("Custom network requires --rpc or ANONMESH_RPC_URL")
+        sys.exit(1)
     else:
         log_err(f"Unknown network: {network}")
         sys.exit(1)
 
-    log_info(f"Solana RPC: {rpc_endpoint}")
+    log_info(f"Solana RPC: {redact_url(rpc_endpoint)}")
 
     # ── Reticulum ─────────────────────────────────────────────────────────────
     RNS.Reticulum(config_path)
@@ -255,13 +291,17 @@ def setup_exit_node(config_path: str | None, network: str, custom_rpc: str | Non
 
     # ── Identity (persisted) ──────────────────────────────────────────────────
     identity_dir = config_path or os.path.expanduser("~/.reticulum")
+    restrict_private_file_permissions(
+        os.path.join(identity_dir, "storage", "transport_identity"))
     identity_path = os.path.join(identity_dir, "anonmesh_exit_identity")
-    if os.path.isfile(identity_path):
-        exit_identity = RNS.Identity.from_file(identity_path)
+    if os.path.lexists(identity_path):
+        exit_identity = RNS.Identity.from_bytes(read_private_file(identity_path))
+        if exit_identity is None:
+            raise OSError("Could not load persisted exit node identity")
         log_info("Loaded persisted exit node identity")
     else:
         exit_identity = RNS.Identity()
-        exit_identity.to_file(identity_path)
+        save_private_identity(exit_identity, identity_path)
         log_ok("Generated new exit node identity (saved)")
 
     # ── Destination ───────────────────────────────────────────────────────────
@@ -288,7 +328,7 @@ def setup_exit_node(config_path: str | None, network: str, custom_rpc: str | Non
     print(f"{BOLD}{CYAN}┌─ EXIT NODE READY ──────────────────────────────────────────┐{RESET}")
     print(f"{BOLD}{CYAN}│{RESET}  Destination hash:  {GREEN}{BOLD}{dest_hash}{RESET}")
     print(f"{BOLD}{CYAN}│{RESET}  Network:           {network}")
-    print(f"{BOLD}{CYAN}│{RESET}  RPC endpoint:      {rpc_endpoint}")
+    print(f"{BOLD}{CYAN}│{RESET}  RPC endpoint:      {redact_url(rpc_endpoint)}")
     print(f"{BOLD}{CYAN}│{RESET}  Config:            {config_path or '~/.reticulum (default)'}")
     print(f"{BOLD}{CYAN}└────────────────────────────────────────────────────────────┘{RESET}")
     print()
@@ -314,8 +354,8 @@ def main():
                         choices=list(SOLANA_ENDPOINTS.keys()),
                         help="Solana network (default: devnet)")
     parser.add_argument("--rpc", default=None,
-                        help="Custom Solana RPC URL (overrides --network)")
-    parser.add_argument("--announce-interval", "-a", default=300, type=int,
+                        help="Custom RPC URL (prefer ANONMESH_RPC_URL for credentials)")
+    parser.add_argument("--announce-interval", "-a", default=300, type=positive_int,
                         metavar="SECONDS", help="Re-announce interval (default: 300s)")
     args = parser.parse_args()
 
diff --git a/scripts/fetch_idl.mjs b/scripts/fetch_idl.mjs
index 5719d6d..b6cdb3b 100644
--- a/scripts/fetch_idl.mjs
+++ b/scripts/fetch_idl.mjs
@@ -1,11 +1,26 @@
 #!/usr/bin/env node
 /**
  * fetch_idl.mjs — fetch and display the on-chain IDL for the ble-revshare program
- * Usage: node fetch_idl.mjs [program_id] [rpc_url]
+ * Usage: ARCIUM_RPC_URL=https://my.node node fetch_idl.mjs [program_id]
  */
 
-const [,, programId = "7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks",
-         rpcUrl    = "https://api.devnet.solana.com"] = process.argv;
+const [,, programId = "7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks"] = process.argv;
+if (process.argv[3]) {
+    console.error("Pass custom RPC via ARCIUM_RPC_URL so credentials stay out of process arguments");
+    process.exit(1);
+}
+const rpcUrl = process.env.ARCIUM_RPC_URL || "https://api.devnet.solana.com";
+
+function redactUrl(raw) {
+    try {
+        const url = new URL(raw);
+        const sensitive = url.username || url.password || url.pathname !== "/"
+            || url.search || url.hash;
+        return `${url.protocol}//${url.host}${sensitive ? "/..." : ""}`;
+    } catch {
+        return "<redacted-rpc-url>";
+    }
+}
 
 const { Connection, PublicKey } = await import("@solana/web3.js");
 const anchor = await import("@coral-xyz/anchor");
@@ -34,5 +49,6 @@ try {
     console.log("\n=== Full IDL (JSON) ===");
     console.log(JSON.stringify(idl, null, 2));
 } catch (e) {
-    console.error("Error:", e.message);
+    console.error("Error:", String(e.message).replaceAll(rpcUrl, redactUrl(rpcUrl)));
+    process.exitCode = 1;
 }
diff --git a/scripts/get_whitelists.js b/scripts/get_whitelists.mjs
similarity index 92%
rename from scripts/get_whitelists.js
rename to scripts/get_whitelists.mjs
index 9a53a70..df549fe 100644
--- a/scripts/get_whitelists.js
+++ b/scripts/get_whitelists.mjs
@@ -1,6 +1,6 @@
 import { Connection, PublicKey } from "@solana/web3.js";
 
-const prog = new PublicKey("7fvHNYVuZP6EYt68GLUa4kU8f8dCBSaGafL9aDhhtMZN");
+const prog = new PublicKey("7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks");
 
 async function check(url, name) {
     const c = new Connection(url);
diff --git a/scripts/headless-node.sh b/scripts/headless-node.sh
new file mode 100755
index 0000000..e761c01
--- /dev/null
+++ b/scripts/headless-node.sh
@@ -0,0 +1,155 @@
+#!/usr/bin/env bash
+set -euo pipefail
+umask 077
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+PYTHON_BIN="${ANONMESH_PYTHON:-$PROJECT_ROOT/venv/bin/python}"
+STATE_DIR="${ANONMESH_STATE_DIR:-${XDG_STATE_HOME:-$HOME/.local/state}/anonmesh}"
+PID_FILE="$STATE_DIR/headless-node.pid"
+LOG_FILE="$STATE_DIR/headless-node.log"
+CONFIG_DIR="${ANONMESH_CONFIG_DIR:-$HOME/.reticulum}"
+NETWORK="${ANONMESH_NETWORK:-devnet}"
+
+ensure_state_dir() {
+  if [[ -L "$STATE_DIR" ]]; then
+    echo "refusing unsafe headless-node state path: $STATE_DIR" >&2
+    exit 1
+  fi
+  mkdir -p "$STATE_DIR"
+  if [[ ! -d "$STATE_DIR" || -L "$STATE_DIR" ]]; then
+    echo "refusing unsafe headless-node state path: $STATE_DIR" >&2
+    exit 1
+  fi
+  chmod 700 "$STATE_DIR"
+  for state_file in "$PID_FILE" "$LOG_FILE"; do
+    if [[ -e "$state_file" || -L "$state_file" ]]; then
+      if [[ ! -f "$state_file" || -L "$state_file" ]]; then
+        echo "refusing unsafe headless-node state file: $state_file" >&2
+        exit 1
+      fi
+      chmod 600 "$state_file"
+    fi
+  done
+}
+
+ensure_state_dir
+
+if [[ ! -x "$PYTHON_BIN" ]]; then
+  PYTHON_BIN="${ANONMESH_PYTHON:-python3}"
+fi
+
+node_args=(--config "$CONFIG_DIR" --network "$NETWORK")
+preflight_args=(--config "$CONFIG_DIR" --network "$NETWORK")
+
+read_pid() {
+  [[ -f "$PID_FILE" ]] || return 1
+  local pid
+  pid="$(cat "$PID_FILE")"
+  [[ "$pid" =~ ^[0-9]+$ ]] || return 1
+  printf '%s\n' "$pid"
+}
+
+is_running() {
+  local pid command_line
+  pid="$(read_pid)" || return 1
+  kill -0 "$pid" 2>/dev/null || return 1
+  command_line="$(ps -ww -p "$pid" -o args= 2>/dev/null)" || return 1
+  [[ "$command_line" == *"$SCRIPT_DIR/exit_node.py"* ]]
+}
+
+clear_stale_pid() {
+  if [[ -f "$PID_FILE" ]] && ! is_running; then
+    rm -f "$PID_FILE"
+  fi
+}
+
+start() {
+  clear_stale_pid
+  if is_running; then
+    echo "headless node already running (pid $(cat "$PID_FILE"))"
+    return 0
+  fi
+
+  "$PYTHON_BIN" "$SCRIPT_DIR/preflight.py" "${preflight_args[@]}"
+  nohup "$PYTHON_BIN" "$SCRIPT_DIR/exit_node.py" "${node_args[@]}" "$@" >> "$LOG_FILE" 2>&1 &
+  echo "$!" > "$PID_FILE"
+  sleep 1
+
+  if ! is_running; then
+    rm -f "$PID_FILE"
+    echo "headless node failed to start; inspect $LOG_FILE" >&2
+    return 1
+  fi
+
+  echo "headless node started (pid $(cat "$PID_FILE"))"
+  echo "logs: $0 logs"
+}
+
+status() {
+  clear_stale_pid
+  if is_running; then
+    echo "headless node running (pid $(cat "$PID_FILE"))"
+    echo "logs: $LOG_FILE"
+    return 0
+  fi
+
+  echo "headless node stopped"
+  return 1
+}
+
+stop() {
+  if ! is_running; then
+    clear_stale_pid
+    echo "headless node already stopped"
+    return 0
+  fi
+
+  pid="$(cat "$PID_FILE")"
+  kill "$pid"
+  for _ in {1..20}; do
+    if ! kill -0 "$pid" 2>/dev/null; then
+      rm -f "$PID_FILE"
+      echo "headless node stopped"
+      return 0
+    fi
+    sleep 0.1
+  done
+
+  echo "headless node did not stop within 2s (pid $pid)" >&2
+  return 1
+}
+
+logs() {
+  touch "$LOG_FILE"
+  chmod 600 "$LOG_FILE"
+  tail -n 100 -f "$LOG_FILE"
+}
+
+run() {
+  "$PYTHON_BIN" "$SCRIPT_DIR/preflight.py" "${preflight_args[@]}"
+  exec "$PYTHON_BIN" "$SCRIPT_DIR/exit_node.py" "${node_args[@]}" "$@"
+}
+
+usage() {
+  cat <<EOF
+Usage: $0 {preflight|run|start|status|logs|stop}
+
+Environment:
+  ANONMESH_CONFIG_DIR   Reticulum config directory (default: ~/.reticulum)
+  ANONMESH_NETWORK      devnet, testnet, mainnet, or custom (default: devnet)
+  ANONMESH_RPC_URL      Optional custom Solana RPC URL
+  ANONMESH_PYTHON       Python executable (default: ./venv/bin/python)
+  ANONMESH_STATE_DIR    PID and log directory (default: ~/.local/state/anonmesh)
+EOF
+}
+
+case "${1:-}" in
+  preflight) shift; exec "$PYTHON_BIN" "$SCRIPT_DIR/preflight.py" "${preflight_args[@]}" "$@" ;;
+  run)       shift; run "$@" ;;
+  start)     shift; start "$@" ;;
+  status)    status ;;
+  logs)      logs ;;
+  stop)      stop ;;
+  *)         usage; exit 1 ;;
+esac
diff --git a/scripts/init_comp_def_once.mjs b/scripts/init_comp_def_once.mjs
index 7d70216..38f58a7 100644
--- a/scripts/init_comp_def_once.mjs
+++ b/scripts/init_comp_def_once.mjs
@@ -1,11 +1,22 @@
 #!/usr/bin/env node
 import * as anchor from "@coral-xyz/anchor";
 import { PublicKey, Keypair, Transaction, TransactionInstruction, SystemProgram } from "@solana/web3.js";
-import { readFileSync } from "node:fs";
+import { readPrivateTextFileSync } from "./private_file.mjs";
 
 const PROGRAM_ID = new PublicKey("7xeQNUggKc2e5q6AQxsFBLBkXGg2p54kSx11zVainMks");
 const ARCIUM_PROGRAM_ID = new PublicKey("Arcj82pX7HxYKLR92qvgZUAd7vGS1k4hQvAFcPATFdEQ");
 const INIT_PAYMENT_STATS_COMP_DEF_IX = Buffer.from([96, 78, 230, 203, 169, 42, 127, 99]);
+const MAX_RENDERED_LOG_LINES = 100;
+const MAX_RENDERED_LOG_LENGTH = 4096;
+
+function terminalSafeText(value) {
+  const text = String(value).replace(/[\x00-\x1f\x7f-\x9f]/g, char =>
+    `\\x${char.charCodeAt(0).toString(16).padStart(2, "0")}`
+  );
+  return text.length > MAX_RENDERED_LOG_LENGTH
+    ? `${text.slice(0, MAX_RENDERED_LOG_LENGTH)}... [truncated]`
+    : text;
+}
 
 const keyPath = process.env.ARCIUM_PAYER_KEYPAIR || process.env.ANCHOR_WALLET;
 if (!keyPath) {
@@ -13,7 +24,7 @@ if (!keyPath) {
   process.exit(1);
 }
 
-const secret = Uint8Array.from(JSON.parse(readFileSync(keyPath, "utf8")));
+const secret = Uint8Array.from(JSON.parse(readPrivateTextFileSync(keyPath)));
 const wallet = new anchor.Wallet(Keypair.fromSecretKey(secret));
 const rpcUrl = process.env.ARCIUM_RPC_URL || "https://api.devnet.solana.com";
 const connection = new anchor.web3.Connection(rpcUrl, "confirmed");
@@ -23,8 +34,12 @@ const mxeAccount = arcium.getMXEAccAddress(PROGRAM_ID);
 const compDefOffsetBuf = arcium.getCompDefAccOffset("payment_stats");
 const compDefOffset = Buffer.from(compDefOffsetBuf).readUInt32LE(0);
 const compDefAccount = arcium.getCompDefAccAddress(PROGRAM_ID, compDefOffset);
-const clusterOffsetRaw = Number.parseInt(process.env.ARCIUM_CLUSTER_OFFSET ?? "456", 10);
-const clusterOffset = Number.isNaN(clusterOffsetRaw) ? 456 : clusterOffsetRaw;
+const clusterOffsetText = process.env.ARCIUM_CLUSTER_OFFSET ?? "456";
+if (!/^\d+$/.test(clusterOffsetText) || Number(clusterOffsetText) > 0xFFFFFFFF) {
+  console.error("ARCIUM_CLUSTER_OFFSET must be an unsigned 32-bit integer");
+  process.exit(1);
+}
+const clusterOffset = Number(clusterOffsetText);
 const mempoolAccount = arcium.getMempoolAccAddress(clusterOffset);
 const executingPool = arcium.getExecutingPoolAccAddress(clusterOffset);
 const clusterAccount = arcium.getClusterAccAddress(clusterOffset);
@@ -36,7 +51,13 @@ console.log("clusterOffset:", clusterOffset);
 console.log("mxeAccount:", mxeAccount.toBase58());
 console.log("compDefAccount:", compDefAccount.toBase58());
 
-const existing = await connection.getAccountInfo(compDefAccount, "confirmed");
+let existing;
+try {
+  existing = await connection.getAccountInfo(compDefAccount, "confirmed");
+} catch {
+  console.error("Unable to query compDefAccount: RPC request failed");
+  process.exit(1);
+}
 if (existing) {
   console.log("compDefAccount already initialized; nothing to do.");
   process.exit(0);
@@ -73,7 +94,13 @@ try {
   const logs = err?.transactionLogs || err?.logs;
   if (Array.isArray(logs)) {
     console.error("Simulation logs:");
-    for (const line of logs) console.error("  ", line);
+    for (const line of logs.slice(0, MAX_RENDERED_LOG_LINES)) {
+      console.error("  ", terminalSafeText(line));
+    }
+    if (logs.length > MAX_RENDERED_LOG_LINES) {
+      console.error(`  ... ${logs.length - MAX_RENDERED_LOG_LINES} more lines omitted`);
+    }
   }
-  throw err;
+  console.error("init_payment_stats_comp_def failed:", err?.name || "request failed");
+  process.exitCode = 1;
 }
diff --git a/scripts/preflight.py b/scripts/preflight.py
new file mode 100755
index 0000000..23e7f34
--- /dev/null
+++ b/scripts/preflight.py
@@ -0,0 +1,206 @@
+#!/usr/bin/env python3
+"""Validate the supported desktop headless-node path before launch."""
+from __future__ import annotations
+
+import argparse
+from collections.abc import Mapping
+import importlib
+import json
+import os
+from pathlib import Path
+import sys
+
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+sys.path.insert(0, str(PROJECT_ROOT))
+
+from shared import ResponseSizeLimitError, SOLANA_ENDPOINTS, read_limited_http_body, redact_url, terminal_safe_text
+
+
+MAX_PREFLIGHT_RPC_RESPONSE_BYTES = 64 * 1024
+
+
+class Checks:
+    def __init__(self) -> None:
+        self.failures = 0
+
+    def ok(self, message: str) -> None:
+        print(f"[ok]   {terminal_safe_text(message)}")
+
+    def warn(self, message: str) -> None:
+        print(f"[warn] {terminal_safe_text(message)}")
+
+    def fail(self, message: str) -> None:
+        self.failures += 1
+        print(f"[fail] {terminal_safe_text(message)}")
+
+
+def config_file(config_dir: str | None) -> Path:
+    return Path(config_dir or "~/.reticulum").expanduser() / "config"
+
+
+def check_python(checks: Checks) -> None:
+    version = sys.version_info
+    label = f"Python {version.major}.{version.minor}.{version.micro}"
+    if version >= (3, 10):
+        checks.ok(label)
+    else:
+        checks.fail(f"{label}; Python 3.10+ is required")
+
+
+def check_module(checks: Checks, module: str, label: str) -> None:
+    try:
+        importlib.import_module(module)
+    except ImportError as exc:
+        checks.fail(f"{label} import failed: {exc}")
+    else:
+        checks.ok(f"{label} import")
+
+
+def read_config(checks: Checks, path: Path) -> Mapping[str, object] | None:
+    if not path.is_file():
+        checks.fail(f"Reticulum config not found: {path}")
+        return None
+
+    try:
+        from RNS.vendor.configobj import ConfigObj, ConfigObjError
+    except ImportError as exc:
+        checks.fail(f"Reticulum config parser import failed: {exc}")
+        return None
+    try:
+        config = ConfigObj(str(path))
+    except (ConfigObjError, OSError) as exc:
+        checks.fail(f"Reticulum config could not be parsed: {path} ({exc})")
+        return None
+
+    missing = [
+        section for section in ("[reticulum]", "[interfaces]")
+        if section[1:-1] not in config
+    ]
+    if missing:
+        checks.fail(f"Reticulum config missing sections: {', '.join(missing)}")
+        return None
+
+    checks.ok(f"Reticulum config: {path}")
+    return config
+
+
+def interface_enabled(config: Mapping[str, object]) -> bool:
+    value = config.get("interface_enabled", config.get("enabled", "no"))
+    return str(value).lower() in {"1", "true", "yes", "on"}
+
+
+def configured_interfaces(config: Mapping[str, object] | None) -> list[Mapping[str, object]]:
+    if config is None:
+        return []
+    interfaces = config.get("interfaces", {})
+    if not isinstance(interfaces, Mapping):
+        return []
+    return [
+        section for section in interfaces.values()
+        if isinstance(section, Mapping) and interface_enabled(section)
+    ]
+
+
+def check_optional_transports(
+    checks: Checks,
+    config: Mapping[str, object] | None,
+    args: argparse.Namespace,
+) -> None:
+    interfaces = configured_interfaces(config)
+    rnodes = [section for section in interfaces if section.get("type") == "RNodeInterface"]
+    has_ble = any(section.get("type") == "BLEInterface" for section in interfaces)
+    has_meshtastic = any("Meshtastic" in str(section.get("type", "")) for section in interfaces)
+
+    if args.ble or has_ble:
+        checks.fail(
+            "desktop BLE is experimental: installing bleak does not provide "
+            "a supported Reticulum BLEInterface"
+        )
+
+    if args.rnode and not rnodes:
+        checks.fail("RNode requested but no enabled RNodeInterface exists in the Reticulum config")
+
+    for rnode in rnodes:
+        port = str(rnode.get("port", "")).strip()
+        if not port:
+            checks.fail("RNodeInterface exists but no serial port is configured")
+        else:
+            if Path(port).exists():
+                checks.ok(f"RNode serial port: {port}")
+            else:
+                checks.fail(f"RNode serial port not found: {port}")
+
+    if args.meshtastic or has_meshtastic:
+        check_module(checks, "meshtastic", "Meshtastic")
+
+
+def check_rpc(checks: Checks, rpc_url: str) -> None:
+    display_url = redact_url(rpc_url)
+    try:
+        import requests
+
+        response = requests.post(
+            rpc_url,
+            json={"jsonrpc": "2.0", "id": 1, "method": "getHealth"},
+            timeout=8,
+            stream=True,
+        )
+        try:
+            response.raise_for_status()
+            raw_body = read_limited_http_body(response, MAX_PREFLIGHT_RPC_RESPONSE_BYTES)
+        finally:
+            response.close()
+    except ResponseSizeLimitError:
+        checks.fail("Solana RPC getHealth response exceeds size limit")
+        return
+    except Exception as exc:
+        checks.fail(f"Solana RPC unreachable: {display_url} ({type(exc).__name__})")
+        return
+    try:
+        body = json.loads(raw_body)
+    except (UnicodeDecodeError, json.JSONDecodeError):
+        checks.fail("Solana RPC returned invalid JSON for getHealth")
+        return
+    if not isinstance(body, Mapping) or body.get("result") != "ok":
+        checks.fail(f"Solana RPC returned unexpected getHealth response: {body}")
+        return
+    checks.ok(f"Solana RPC reachable: {display_url}")
+
+
+def parse_args() -> argparse.Namespace:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("--config", "-c", default=None, help="Reticulum config directory")
+    parser.add_argument("--network", "-n", choices=sorted(SOLANA_ENDPOINTS), default="devnet")
+    parser.add_argument("--rpc", default=None, help="Custom RPC URL (prefer ANONMESH_RPC_URL for credentials)")
+    parser.add_argument("--skip-rpc", action="store_true", help="Skip the Solana RPC reachability check")
+    parser.add_argument("--ble", action="store_true", help="Check the experimental desktop BLE path")
+    parser.add_argument("--rnode", action="store_true", help="Require an RNodeInterface in the config")
+    parser.add_argument("--meshtastic", action="store_true", help="Require the Meshtastic Python package")
+    return parser.parse_args()
+
+
+def main() -> int:
+    args = parse_args()
+    checks = Checks()
+
+    check_python(checks)
+    check_module(checks, "RNS", "Reticulum")
+    check_module(checks, "requests", "requests")
+    config = read_config(checks, config_file(args.config))
+    check_optional_transports(checks, config, args)
+    if not args.skip_rpc:
+        rpc_url = args.rpc or os.getenv("ANONMESH_RPC_URL") or SOLANA_ENDPOINTS[args.network]
+        if rpc_url:
+            check_rpc(checks, rpc_url)
+        else:
+            checks.fail("Custom network requires --rpc or ANONMESH_RPC_URL")
+
+    if checks.failures:
+        print(f"\npreflight failed: {checks.failures} check(s)")
+        return 1
+    print("\npreflight passed")
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())
diff --git a/scripts/private_file.mjs b/scripts/private_file.mjs
new file mode 100644
index 0000000..ec2672c
--- /dev/null
+++ b/scripts/private_file.mjs
@@ -0,0 +1,42 @@
+import {
+    closeSync,
+    constants,
+    fchmodSync,
+    fstatSync,
+    lstatSync,
+    openSync,
+    readSync,
+} from "node:fs";
+
+const MAX_PRIVATE_FILE_BYTES = 1024 * 1024;
+
+export function readPrivateTextFileSync(path, maxBytes = MAX_PRIVATE_FILE_BYTES) {
+    const initial = lstatSync(path);
+    if (initial.isSymbolicLink() || !initial.isFile()) {
+        throw new Error("Refusing unsafe private file");
+    }
+
+    const flags = constants.O_RDONLY | (constants.O_NOFOLLOW ?? 0) | (constants.O_NONBLOCK ?? 0);
+    const fd = openSync(path, flags);
+    try {
+        if (!fstatSync(fd).isFile()) {
+            throw new Error("Refusing unsafe private file");
+        }
+        fchmodSync(fd, 0o600);
+        const chunks = [];
+        let total = 0;
+        while (true) {
+            const chunk = Buffer.alloc(Math.min(64 * 1024, maxBytes + 1 - total));
+            const count = readSync(fd, chunk, 0, chunk.length, null);
+            if (count === 0) break;
+            total += count;
+            if (total > maxBytes) {
+                throw new Error("Private file exceeds size limit");
+            }
+            chunks.push(chunk.subarray(0, count));
+        }
+        return new TextDecoder("utf-8", { fatal: true }).decode(Buffer.concat(chunks));
+    } finally {
+        closeSync(fd);
+    }
+}
diff --git a/scripts/test.sh b/scripts/test.sh
new file mode 100755
index 0000000..1fea584
--- /dev/null
+++ b/scripts/test.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+VENV_DIR="${ANONMESH_TEST_VENV:-$PROJECT_ROOT/.venv-test}"
+
+if [[ ! -x "$VENV_DIR/bin/python" ]]; then
+  python3 -m venv "$VENV_DIR"
+fi
+
+"$VENV_DIR/bin/python" -m pip install --quiet -r "$PROJECT_ROOT/requirements-dev.txt"
+exec "$VENV_DIR/bin/python" -m pytest "$@"
diff --git a/setup.sh b/setup.sh
index 7e5d6ca..1fa051c 100755
--- a/setup.sh
+++ b/setup.sh
@@ -6,7 +6,7 @@
 #  Sets up everything needed to run beacon.py and client.py:
 #    · Python venv + all dependencies
 #    · Reticulum config with working public hubs
-#    · Meshtastic interface file (optional)
+#    · Meshtastic research dependency (optional; interface module supplied separately)
 #    · Launcher scripts  (run_beacon.sh / run_client.sh)
 #    · systemd service   (optional, beacon only)
 #
@@ -16,10 +16,11 @@
 #    ./setup.sh --beacon     # beacon-only, non-interactive
 #    ./setup.sh --client     # client-only, non-interactive
 #    ./setup.sh --both       # both, non-interactive
-#    ./setup.sh --systemd    # also install beacon as systemd service
+#    ./setup.sh --beacon --systemd  # also install beacon as systemd service
 # ─────────────────────────────────────────────────────────────────────────────
 
 set -euo pipefail
+umask 077
 
 # ── Colours ───────────────────────────────────────────────────────────────────
 R="\033[0m"; BOLD="\033[1m"; DIM="\033[2m"
@@ -42,6 +43,62 @@ ${R}${DIM}              a n o n m e s h  ·  Mesh First, Chain When It Matters${
 ${BOLD}                              Setup Script  ·  Powered by Reticulum${R}
 "; }
 
+refuse_unsafe_output_path() {
+  local destination="$1"
+  if [[ -L "$destination" || ( -e "$destination" && ! -f "$destination" ) ]]; then
+    log_err "Refusing unsafe output path: $destination"
+    return 1
+  fi
+}
+
+atomic_private_write() {
+  local destination="$1"
+  local mode="$2"
+  local directory base temp
+  refuse_unsafe_output_path "$destination"
+  directory="$(dirname "$destination")"
+  base="$(basename "$destination")"
+  temp="$(mktemp "$directory/.${base}.tmp.XXXXXX")"
+  if ! cat > "$temp" || ! chmod "$mode" "$temp" || ! mv -f "$temp" "$destination"; then
+    rm -f "$temp"
+    return 1
+  fi
+}
+
+atomic_private_append() {
+  local destination="$1"
+  local mode="$2"
+  local directory base temp
+  refuse_unsafe_output_path "$destination"
+  if [[ ! -f "$destination" ]]; then
+    log_err "Cannot append to missing file: $destination"
+    return 1
+  fi
+  directory="$(dirname "$destination")"
+  base="$(basename "$destination")"
+  temp="$(mktemp "$directory/.${base}.tmp.XXXXXX")"
+  if ! cat "$destination" > "$temp" || ! cat >> "$temp" \
+      || ! chmod "$mode" "$temp" || ! mv -f "$temp" "$destination"; then
+    rm -f "$temp"
+    return 1
+  fi
+}
+
+systemd_escape_path() {
+  local value="$1"
+  if [[ "$value" =~ [[:cntrl:]] || "$value" == *\\* || "$value" == *\"* ]]; then
+    log_err "Cannot write systemd service for path containing control characters, quotes, or backslashes"
+    return 1
+  fi
+  value="${value// /\\x20}"
+  value="${value//%/%%}"
+  printf '%s' "$value"
+}
+
+config_value_is_safe() {
+  [[ ! "$1" =~ [[:cntrl:]] ]]
+}
+
 # ── Defaults ──────────────────────────────────────────────────────────────────
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 VENV_DIR="$SCRIPT_DIR/venv"
@@ -88,7 +145,13 @@ for arg in "$@"; do
     --wallet-setup) SETUP_WALLET=true ;;
     --help|-h)
       echo "Usage: $0 [--beacon] [--client] [--both] [--systemd] [--ble] [--rnode] [--meshtastic] [--mainnet|--devnet] [--wallet-setup]"
+      echo "For unattended --rnode setup, set ANONMESH_RNODE_PORT and ANONMESH_RNODE_REGION=us|eu."
+      echo "--systemd requires --beacon or --both; --wallet-setup requires --client or --both."
       exit 0 ;;
+    *)
+      log_err "Unknown option: $arg"
+      echo "Run $0 --help for usage."
+      exit 1 ;;
   esac
 done
 
@@ -116,7 +179,7 @@ if [[ "$NONINTERACTIVE" == false ]]; then
   [[ "$net_choice" == "2" ]] && SOLANA_NETWORK="mainnet"
 
   echo ""
-  read -rp "Install BLE (Bluetooth) support? [y/N]: " ble_choice
+  read -rp "Install experimental desktop BLE research deps? [y/N]: " ble_choice
   [[ "$ble_choice" =~ ^[Yy]$ ]] && INSTALL_BLE=true
 
   echo ""
@@ -140,11 +203,21 @@ if [[ "$NONINTERACTIVE" == false ]]; then
   fi
 fi
 
+if [[ "$INSTALL_SYSTEMD" == true && "$INSTALL_BEACON" != true ]]; then
+  log_err "--systemd requires --beacon or --both"
+  exit 1
+fi
+
+if [[ "$SETUP_WALLET" == true && "$INSTALL_CLIENT" != true ]]; then
+  log_err "--wallet-setup requires --client or --both"
+  exit 1
+fi
+
 log_ok "Configuration:"
 log_info "  Beacon:     $INSTALL_BEACON"
 log_info "  Client:     $INSTALL_CLIENT"
 log_info "  Network:    $SOLANA_NETWORK"
-log_info "  BLE:        $INSTALL_BLE"
+log_info "  BLE deps:   $INSTALL_BLE (experimental; no desktop relay configured)"
 log_info "  RNode LoRa: $INSTALL_RNODE"
 log_info "  Meshtastic: $INSTALL_MESHTASTIC"
 log_info "  systemd:    $INSTALL_SYSTEMD"
@@ -173,7 +246,7 @@ if [[ "$OS_TYPE" == "macos" ]]; then
   fi
 
   if [[ "$INSTALL_BLE" == true ]]; then
-    log_info "BLE: macOS has native CoreBluetooth — no extra system deps needed."
+    log_info "BLE research deps: macOS has native CoreBluetooth."
   fi
 else
   # Linux — use apt-get
@@ -191,7 +264,7 @@ else
   fi
 
   if [[ "$INSTALL_BLE" == true ]]; then
-    log_info "Installing BLE system deps..."
+    log_info "Installing experimental BLE research system deps..."
     sudo apt-get install -y -qq bluetooth bluez libbluetooth-dev || true
   fi
 fi
@@ -251,6 +324,7 @@ python -c "import LXMF" && log_ok "LXMF import OK" || log_warn "LXMF import fail
 
 if [[ "$INSTALL_BLE" == true ]]; then
   python -c "import bleak" && log_ok "bleak import OK" || log_warn "bleak import failed"
+  log_warn "Desktop BLE relay is experimental; bleak alone does not configure a working Reticulum interface"
 fi
 
 if [[ "$INSTALL_CLIENT" == true ]]; then
@@ -284,19 +358,18 @@ fi
 log_step "Reticulum config"
 
 mkdir -p "$RNS_CONFIG_DIR" "$INTERFACES_DIR"
+chmod 700 "$RNS_CONFIG_DIR" "$INTERFACES_DIR"
 
 BACKUP_DONE=false
+refuse_unsafe_output_path "$RNS_CONFIG_FILE"
 if [[ -f "$RNS_CONFIG_FILE" ]]; then
   BACKUP="$RNS_CONFIG_FILE.bak.$(date +%Y%m%d_%H%M%S)"
-  cp "$RNS_CONFIG_FILE" "$BACKUP"
+  atomic_private_write "$BACKUP" 600 < "$RNS_CONFIG_FILE"
   log_info "Backed up existing config → $BACKUP"
   BACKUP_DONE=true
 fi
 
-BLE_ENABLED="no"
-[[ "$INSTALL_BLE" == true ]] && BLE_ENABLED="yes"
-
-cat > "$RNS_CONFIG_FILE" << RNSCFG
+atomic_private_write "$RNS_CONFIG_FILE" 600 << RNSCFG
 [reticulum]
   enable_transport         = True
   share_instance           = Yes
@@ -325,32 +398,27 @@ cat > "$RNS_CONFIG_FILE" << RNSCFG
     target_host = dfw.us.g00n.cloud
     target_port = 6969
 
-  [[RNS Testnet BetweenTheBorders]]
-    type        = TCPClientInterface
-    enabled     = yes
-    target_host = reticulum.betweentheborders.com
-    target_port = 4242
 RNSCFG
 
 log_ok "Reticulum config written → $RNS_CONFIG_FILE"
 
 # ── Validate config ────────────────────────────────────────────────────────────
-python -c "
-import sys, re
-cfg = open('$RNS_CONFIG_FILE').read()
+ANONMESH_RNS_CONFIG_FILE="$RNS_CONFIG_FILE" python -c '
+import os, sys, re
+cfg = open(os.environ["ANONMESH_RNS_CONFIG_FILE"]).read()
 lines = cfg.splitlines()
-has_reticulum = any(l.strip() == '[reticulum]' for l in lines)
-has_interfaces = any(l.strip() == '[interfaces]' for l in lines)
+has_reticulum = any(l.strip() == "[reticulum]" for l in lines)
+has_interfaces = any(l.strip() == "[interfaces]" for l in lines)
 errors = []
 if not has_reticulum:
-    errors.append('Missing [reticulum] section')
+    errors.append("Missing [reticulum] section")
 if not has_interfaces:
-    errors.append('Missing [interfaces] section')
+    errors.append("Missing [interfaces] section")
 if errors:
-    for e in errors: print('ERROR:', e)
+    for e in errors: print("ERROR:", e)
     sys.exit(1)
-print('Config syntax looks OK')
-" && log_ok "Config validated" || { log_err "Config validation failed — check $RNS_CONFIG_FILE"; exit 1; }
+print("Config syntax looks OK")
+' && log_ok "Config validated" || { log_err "Config validation failed — check $RNS_CONFIG_FILE"; exit 1; }
 
 # ═════════════════════════════════════════════════════════════════════════════
 # STEP 4b — RNode LoRa interface (Heltec V3)
@@ -359,7 +427,7 @@ if [[ "$INSTALL_RNODE" == true ]]; then
   log_step "RNode LoRa interface (Heltec V3)"
 
   # ── Detect serial device ──────────────────────────────────────────────────
-  RNODE_PORT=""
+  RNODE_PORT="${ANONMESH_RNODE_PORT:-}"
   SERIAL_DEVICES=()
 
   if [[ "$OS_TYPE" == "macos" ]]; then
@@ -372,7 +440,14 @@ if [[ "$INSTALL_RNODE" == true ]]; then
     done < <(ls /dev/ttyUSB* /dev/ttyACM* 2>/dev/null || true)
   fi
 
-  if [[ ${#SERIAL_DEVICES[@]} -eq 0 ]]; then
+  if [[ -n "$RNODE_PORT" ]] && ! config_value_is_safe "$RNODE_PORT"; then
+    log_warn "Skipping RNode setup — serial port contains control characters."
+    RNODE_PORT=""
+  fi
+
+  if [[ -n "$RNODE_PORT" ]]; then
+    log_info "Using RNode serial device from ANONMESH_RNODE_PORT: $RNODE_PORT"
+  elif [[ ${#SERIAL_DEVICES[@]} -eq 0 ]]; then
     log_warn "No serial devices found."
     log_info "  Plug in the Heltec V3 and check:"
     if [[ "$OS_TYPE" == "macos" ]]; then
@@ -380,10 +455,14 @@ if [[ "$INSTALL_RNODE" == true ]]; then
     else
       log_info "    ls /dev/ttyUSB*"
     fi
-    echo ""
-    read -rp "  Enter serial port manually (or press Enter to skip): " manual_port
-    if [[ -n "$manual_port" ]]; then
-      RNODE_PORT="$manual_port"
+    if [[ "$NONINTERACTIVE" == true ]]; then
+      log_info "  Set ANONMESH_RNODE_PORT and ANONMESH_RNODE_REGION=us|eu for unattended setup."
+    else
+      echo ""
+      read -rp "  Enter serial port manually (or press Enter to skip): " manual_port
+      if [[ -n "$manual_port" ]]; then
+        RNODE_PORT="$manual_port"
+      fi
     fi
   elif [[ ${#SERIAL_DEVICES[@]} -eq 1 ]]; then
     RNODE_PORT="${SERIAL_DEVICES[0]}"
@@ -393,36 +472,59 @@ if [[ "$INSTALL_RNODE" == true ]]; then
     for i in "${!SERIAL_DEVICES[@]}"; do
       echo "  $((i+1))) ${SERIAL_DEVICES[$i]}"
     done
-    read -rp "  Select device [1-${#SERIAL_DEVICES[@]}]: " dev_choice
-    if [[ "$dev_choice" =~ ^[0-9]+$ ]] && (( dev_choice >= 1 && dev_choice <= ${#SERIAL_DEVICES[@]} )); then
-      RNODE_PORT="${SERIAL_DEVICES[$((dev_choice-1))]}"
+    if [[ "$NONINTERACTIVE" == true ]]; then
+      log_warn "Skipping RNode setup — set ANONMESH_RNODE_PORT to select one device."
     else
-      log_warn "Invalid choice — skipping RNode setup"
+      read -rp "  Select device [1-${#SERIAL_DEVICES[@]}]: " dev_choice
+      if [[ "$dev_choice" =~ ^[0-9]+$ ]] && (( dev_choice >= 1 && dev_choice <= ${#SERIAL_DEVICES[@]} )); then
+        RNODE_PORT="${SERIAL_DEVICES[$((dev_choice-1))]}"
+      else
+        log_warn "Invalid choice — skipping RNode setup"
+      fi
     fi
   fi
 
+  if [[ -n "$RNODE_PORT" ]] && ! config_value_is_safe "$RNODE_PORT"; then
+    log_warn "Skipping RNode setup — serial port contains control characters."
+    RNODE_PORT=""
+  fi
+
   if [[ -n "$RNODE_PORT" ]]; then
     # ── Frequency region ──────────────────────────────────────────────────
-    echo ""
-    echo -e "${BOLD}LoRa frequency region:${R}"
-    echo "  1) EU 868 MHz  (Europe, Africa, Middle East)"
-    echo "  2) US 915 MHz  (Americas, Australia)"
-    read -rp "Choice [1/2, default=1]: " freq_choice
-
-    if [[ "$freq_choice" == "2" ]]; then
-      RNODE_FREQ=915000000
-      RNODE_TXPOWER=22
-      RNODE_REGION="US 915 MHz"
-    else
-      RNODE_FREQ=867200000
-      RNODE_TXPOWER=14
-      RNODE_REGION="EU 868 MHz"
+    region_choice="${ANONMESH_RNODE_REGION:-}"
+    if [[ -z "$region_choice" && "$NONINTERACTIVE" == false ]]; then
+      echo ""
+      echo -e "${BOLD}LoRa frequency region:${R}"
+      echo "  1) EU 868 MHz  (Europe, Africa, Middle East)"
+      echo "  2) US 915 MHz  (Americas, Australia)"
+      read -rp "Choice [1/2, default=1]: " freq_choice
+      [[ "$freq_choice" == "2" ]] && region_choice="us" || region_choice="eu"
     fi
 
+    case "${region_choice,,}" in
+      us)
+        RNODE_FREQ=915000000
+        RNODE_TXPOWER=22
+        RNODE_REGION="US 915 MHz"
+        ;;
+      eu)
+        RNODE_FREQ=867200000
+        RNODE_TXPOWER=14
+        RNODE_REGION="EU 868 MHz"
+        ;;
+      *)
+        log_warn "Skipping RNode setup — set ANONMESH_RNODE_REGION=us|eu for the legal radio region."
+        RNODE_PORT=""
+        ;;
+    esac
+  fi
+
+  if [[ -n "$RNODE_PORT" ]]; then
+
     log_info "Configuring RNode: $RNODE_PORT @ $RNODE_REGION"
 
     # ── Append RNode interface to existing Reticulum config ───────────────
-    cat >> "$RNS_CONFIG_FILE" << RNODE
+    atomic_private_append "$RNS_CONFIG_FILE" 600 << RNODE
 
 # ── RNODE LORA (Heltec V3 / SX1262) ─────────────────────────────────────────
 # Region: ${RNODE_REGION}
@@ -459,7 +561,7 @@ RNODE
 fi
 
 # ═════════════════════════════════════════════════════════════════════════════
-# STEP 5 — Meshtastic interface file
+# STEP 5 — Meshtastic interface module status
 # ═════════════════════════════════════════════════════════════════════════════
 if [[ "$INSTALL_MESHTASTIC" == true ]]; then
   log_step "Meshtastic interface"
@@ -468,13 +570,9 @@ if [[ "$INSTALL_MESHTASTIC" == true ]]; then
   if [[ -f "$MESH_IFACE" ]]; then
     log_info "Meshtastic_Interface.py already present"
   else
-    log_info "Downloading Meshtastic_Interface.py from anon0mesh repo..."
-    if wget -q -O "$MESH_IFACE" \
-      "https://raw.githubusercontent.com/Magicred-1/anon0mesh/main/interfaces/Meshtastic_Interface.py"; then
-      log_ok "Meshtastic_Interface.py downloaded → $MESH_IFACE"
-    else
-      log_warn "Download failed — you can place it manually at $MESH_IFACE"
-    fi
+    log_warn "Meshtastic_Interface.py is not bundled; place a compatible module manually at:"
+    log_info "  $MESH_IFACE"
+    log_info "The Python meshtastic dependency is installed, but no Reticulum interface was configured."
   fi
 fi
 
@@ -484,33 +582,31 @@ fi
 log_step "Launcher scripts"
 
 if [[ "$INSTALL_BEACON" == true ]]; then
-  cat > "$SCRIPT_DIR/run_beacon.sh" << LAUNCHER
+  atomic_private_write "$SCRIPT_DIR/run_beacon.sh" 700 << LAUNCHER
 #!/usr/bin/env bash
 # anon0mesh Beacon launcher
-# Edit NETWORK and RPC_URL below to match your setup.
+# Set SOLANA_RPC_URL in the environment if you need a custom RPC endpoint.
 # ─────────────────────────────────────────────────────
 
+umask 077
 SCRIPT_DIR="\$(cd "\$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
 source "\$SCRIPT_DIR/venv/bin/activate"
 
 # ── Configuration ──────────────────────────────────────────────────────────
 NETWORK="${SOLANA_NETWORK}"          # devnet | mainnet | custom
-RPC_URL=""               # leave empty to use default public endpoint
-                         # or set e.g. https://my-node.helius-rpc.com/?api-key=XXX
 ANNOUNCE_INTERVAL=300    # seconds between re-announces after burst phase
 
 # ── Build args ─────────────────────────────────────────────────────────────
-ARGS="--network \$NETWORK --announce-interval \$ANNOUNCE_INTERVAL"
-[[ -n "\$RPC_URL" ]] && ARGS="\$ARGS --rpc \$RPC_URL"
+ARGS=(--network "\$NETWORK" --announce-interval "\$ANNOUNCE_INTERVAL")
 
-exec python "\$SCRIPT_DIR/beacon.py" \$ARGS "\$@"
+exec python "\$SCRIPT_DIR/beacon.py" "\${ARGS[@]}" "\$@"
 LAUNCHER
-  chmod +x "$SCRIPT_DIR/run_beacon.sh"
+  chmod 700 "$SCRIPT_DIR/run_beacon.sh"
   log_ok "run_beacon.sh created"
 fi
 
 if [[ "$INSTALL_CLIENT" == true ]]; then
-  cat > "$SCRIPT_DIR/run_client.sh" << LAUNCHER
+  atomic_private_write "$SCRIPT_DIR/run_client.sh" 700 << LAUNCHER
 #!/usr/bin/env bash
 # anon0mesh Client launcher
 # Pass beacon hashes as arguments, or use --discover for auto-discovery.
@@ -521,6 +617,7 @@ if [[ "$INSTALL_CLIENT" == true ]]; then
 #   ./run_client.sh <HASH1> --balance <ADDR>  # one-shot balance
 # ─────────────────────────────────────────────────────
 
+umask 077
 SCRIPT_DIR="\$(cd "\$(dirname "\${BASH_SOURCE[0]}")" && pwd)"
 source "\$SCRIPT_DIR/venv/bin/activate"
 
@@ -529,17 +626,13 @@ if [[ \$# -eq 0 ]]; then
   exec python "\$SCRIPT_DIR/client.py" --discover --strategy race
 fi
 
-# ── One or more hashes passed → use them + discover ───────────────────────
+# ── Leading bare hashes → explicit beacons; preserve all option values ────
 HASHES=()
-EXTRA_ARGS=()
-for arg in "\$@"; do
-  # If it looks like a hex hash (16+ hex chars), treat as beacon hash
-  if [[ "\$arg" =~ ^[0-9a-fA-F]{16,}$ ]]; then
-    HASHES+=("\$arg")
-  else
-    EXTRA_ARGS+=("\$arg")
-  fi
+while [[ \$# -gt 0 && "\$1" =~ ^[0-9a-fA-F]{16,}$ ]]; do
+  HASHES+=("\$1")
+  shift
 done
+EXTRA_ARGS=("\$@")
 
 CMD=(python "\$SCRIPT_DIR/client.py")
 [[ \${#HASHES[@]} -gt 0 ]] && CMD+=(--beacon "\${HASHES[@]}")
@@ -547,7 +640,7 @@ CMD+=(--discover --strategy race)   # always keep discovery on for new beacons
 
 exec "\${CMD[@]}" "\${EXTRA_ARGS[@]}"
 LAUNCHER
-  chmod +x "$SCRIPT_DIR/run_client.sh"
+  chmod 700 "$SCRIPT_DIR/run_client.sh"
   log_ok "run_client.sh created"
 fi
 
@@ -559,6 +652,8 @@ if [[ "$INSTALL_BEACON" == true && "$INSTALL_SYSTEMD" == true ]]; then
 
   SERVICE_FILE="/etc/systemd/system/anon0mesh-beacon.service"
   CURRENT_USER="$(whoami)"
+  SYSTEMD_WORKING_DIRECTORY="$(systemd_escape_path "$SCRIPT_DIR")"
+  SYSTEMD_EXEC_START="$(systemd_escape_path "$SCRIPT_DIR/run_beacon.sh")"
 
   sudo tee "$SERVICE_FILE" > /dev/null << SERVICE
 [Unit]
@@ -570,10 +665,11 @@ Wants=network-online.target
 [Service]
 Type=simple
 User=${CURRENT_USER}
-WorkingDirectory=${SCRIPT_DIR}
-ExecStart=${SCRIPT_DIR}/run_beacon.sh
+WorkingDirectory=${SYSTEMD_WORKING_DIRECTORY}
+ExecStart=${SYSTEMD_EXEC_START}
 Restart=on-failure
 RestartSec=10
+UMask=0077
 StandardOutput=journal
 StandardError=journal
 SyslogIdentifier=anon0mesh-beacon
@@ -598,33 +694,33 @@ fi
 # ═════════════════════════════════════════════════════════════════════════════
 log_step "Smoke test"
 
-python -c "
-import sys
-sys.path.insert(0, '$SCRIPT_DIR')
+ANONMESH_SCRIPT_DIR="$SCRIPT_DIR" python -c '
+import os, sys
+sys.path.insert(0, os.environ["ANONMESH_SCRIPT_DIR"])
 errors = []
 
 try:
     import RNS
 except ImportError:
-    errors.append('RNS not importable')
+    errors.append("RNS not importable")
 
 try:
     from shared import APP_NAME, APP_ASPECT, build_rpc, decode_json
-    import json; json.loads(build_rpc('getSlot'))
+    import json; json.loads(build_rpc("getSlot"))
 except Exception as e:
-    errors.append(f'shared: {e}')
+    errors.append(f"shared: {e}")
 
 try:
     import state
-    assert hasattr(state, 'pool')
-    assert hasattr(state, 'active_wallet')
+    assert hasattr(state, "pool")
+    assert hasattr(state, "active_wallet")
 except Exception as e:
-    errors.append(f'state: {e}')
+    errors.append(f"state: {e}")
 
 try:
     from mesh import BeaconPool, BeaconAnnounceHandler, BeaconLink
 except Exception as e:
-    errors.append(f'mesh: {e}')
+    errors.append(f"mesh: {e}")
 
 try:
     import rpc
@@ -633,7 +729,7 @@ try:
     assert callable(rpc.send_transaction)
     assert callable(rpc.get_nonce_account)
 except Exception as e:
-    errors.append(f'rpc: {e}')
+    errors.append(f"rpc: {e}")
 
 try:
     import wallet
@@ -641,21 +737,21 @@ try:
     assert callable(wallet.import_wallet)
     assert callable(wallet.create_nonce_account)
 except Exception as e:
-    errors.append(f'wallet: {e}')
+    errors.append(f"wallet: {e}")
 
 try:
     import menu
     assert callable(menu.repl)
 except Exception as e:
-    errors.append(f'menu: {e}')
+    errors.append(f"menu: {e}")
 
 if errors:
     for e in errors:
-        print('FAIL:', e)
+        print("FAIL:", e)
     sys.exit(1)
 else:
-    print('All modules OK')
-" && log_ok "Smoke test passed" || { log_err "Smoke test failed"; exit 1; }
+    print("All modules OK")
+' && log_ok "Smoke test passed" || { log_err "Smoke test failed"; exit 1; }
 
 # ═════════════════════════════════════════════════════════════════════════════
 # STEP 9 — Solana wallet + durable nonce account (client only, opt-in)
@@ -695,35 +791,81 @@ if [[ "$INSTALL_CLIENT" == true && "$SETUP_WALLET" == true ]]; then
       else
         WALLET_KEYPAIR_PATH="$SCRIPT_DIR/wallet.json"
         # Generate keypair via Python; pass path through env to avoid heredoc quoting issues
-        ANON0MESH_KP_PATH="$WALLET_KEYPAIR_PATH" python << 'PYEOF'
-import os, json
+        if ANON0MESH_KP_PATH="$WALLET_KEYPAIR_PATH" python << 'PYEOF'
+import os, json, stat, tempfile
 from solders.keypair import Keypair
+
+def save_keypair(path, kp):
+    try:
+        destination_mode = os.lstat(path).st_mode
+    except FileNotFoundError:
+        pass
+    else:
+        if stat.S_ISLNK(destination_mode):
+            raise OSError(f"Refusing symlinked keypair path: {path}")
+        if not stat.S_ISREG(destination_mode):
+            raise OSError(f"Refusing non-regular keypair path: {path}")
+    directory = os.path.dirname(path) or "."
+    previous_umask = os.umask(0o077)
+    temp_path = ""
+    fd = -1
+    try:
+        fd, temp_path = tempfile.mkstemp(prefix=f".{os.path.basename(path)}.", dir=directory)
+        os.fchmod(fd, 0o600)
+        with os.fdopen(fd, "w") as f:
+            fd = -1
+            json.dump(list(bytes(kp)), f)
+        os.replace(temp_path, path)
+        temp_path = ""
+    finally:
+        if fd != -1:
+            os.close(fd)
+        if temp_path:
+            try:
+                os.unlink(temp_path)
+            except FileNotFoundError:
+                pass
+        os.umask(previous_umask)
+
 kp   = Keypair()
 path = os.environ["ANON0MESH_KP_PATH"]
-with open(path, "w") as f:
-    json.dump(list(bytes(kp)), f)
+save_keypair(path, kp)
 print(f"  Public key : {kp.pubkey()}")
 print(f"  Saved to   : {path}")
 PYEOF
-        if [[ $? -ne 0 ]]; then
-          log_err "Keypair generation failed"; WALLET_KEYPAIR_PATH=""
-        else
+        then
           log_ok "Keypair saved → $WALLET_KEYPAIR_PATH"
           log_warn "Keep wallet.json safe — it contains your private key!"
+        else
+          log_err "Keypair generation failed"; WALLET_KEYPAIR_PATH=""
         fi
       fi
     fi
 
     # ── Show public key + funding instructions ────────────────────────────────
     if [[ -n "$WALLET_KEYPAIR_PATH" ]]; then
-      WALLET_PUBKEY=$(ANON0MESH_KP_PATH="$WALLET_KEYPAIR_PATH" python << 'PYEOF'
-import os, json
+      if ! WALLET_PUBKEY=$(ANON0MESH_KP_PATH="$WALLET_KEYPAIR_PATH" python << 'PYEOF'
+import os, json, stat
 from solders.keypair import Keypair
-with open(os.environ["ANON0MESH_KP_PATH"]) as f:
+path = os.environ["ANON0MESH_KP_PATH"]
+if os.path.islink(path):
+    raise OSError(f"Refusing symlinked keypair path: {path}")
+flags = os.O_RDONLY | getattr(os, "O_NOFOLLOW", 0) | getattr(os, "O_NONBLOCK", 0)
+fd = os.open(path, flags)
+with os.fdopen(fd) as f:
+    if not stat.S_ISREG(os.fstat(f.fileno()).st_mode):
+        raise OSError(f"Refusing non-regular keypair path: {path}")
+    os.fchmod(f.fileno(), 0o600)
     kp = Keypair.from_bytes(bytes(json.load(f)))
 print(kp.pubkey(), end="")
 PYEOF
-)
+      ); then
+        log_err "Could not load keypair: $WALLET_KEYPAIR_PATH — skipping wallet setup"
+        WALLET_KEYPAIR_PATH=""
+      fi
+    fi
+
+    if [[ -n "$WALLET_KEYPAIR_PATH" ]]; then
       log_ok "Wallet public key: $WALLET_PUBKEY"
       echo ""
       if [[ "$SOLANA_NETWORK" == "devnet" ]]; then
@@ -759,12 +901,12 @@ PYEOF
         # Run Python once.
         # Status/progress messages  → stderr  (shown directly to the user)
         # KEY=VALUE result lines    → stdout  (captured into _nonce_out)
-        _nonce_out=$(
+        if _nonce_out=$(
           ANON0MESH_KP_PATH="$WALLET_KEYPAIR_PATH" \
           ANON0MESH_RPC="$_SETUP_RPC" \
           ANON0MESH_DIR="$SCRIPT_DIR" \
           python << 'PYEOF'
-import os, sys, json, base64
+import os, sys, json, base64, stat, tempfile
 import requests
 from solders.keypair     import Keypair
 from solders.pubkey      import Pubkey
@@ -779,6 +921,8 @@ from solders.hash    import Hash
 RPC       = os.environ["ANON0MESH_RPC"]
 SAVE_DIR  = os.environ["ANON0MESH_DIR"]
 NONCE_LEN = 80  # fixed by the Solana runtime
+MAX_U64   = (1 << 64) - 1
+MAX_RPC_RESPONSE_BYTES = 1024 * 1024
 
 def rpc(method, params):
     r = requests.post(
@@ -786,30 +930,110 @@ def rpc(method, params):
         json={"jsonrpc": "2.0", "id": 1, "method": method, "params": params},
         headers={"Content-Type": "application/json"},
         timeout=20,
+        stream=True,
     )
-    r.raise_for_status()
-    d = r.json()
+    try:
+        r.raise_for_status()
+        chunks = []
+        size = 0
+        for chunk in r.iter_content(chunk_size=64 * 1024):
+            if not chunk:
+                continue
+            size += len(chunk)
+            if size > MAX_RPC_RESPONSE_BYTES:
+                raise RuntimeError(f"{method} response exceeds size limit")
+            chunks.append(chunk)
+        try:
+            d = json.loads(b"".join(chunks))
+        except (UnicodeDecodeError, json.JSONDecodeError) as exc:
+            raise RuntimeError(f"{method} returned invalid JSON: {exc}") from exc
+    finally:
+        r.close()
+    if not isinstance(d, dict):
+        raise RuntimeError(f"{method} returned a non-object response")
     if "error" in d:
-        raise RuntimeError(d["error"].get("message", str(d["error"]))
-                           if isinstance(d["error"], dict) else str(d["error"]))
-    return d
+        error = d["error"]
+        raise RuntimeError(error.get("message", str(error))
+                           if isinstance(error, dict) else str(error))
+    if "result" not in d:
+        raise RuntimeError(f"{method} response is missing result")
+    return d["result"]
+
+def require_u64(value, label):
+    if isinstance(value, bool) or not isinstance(value, int) or not 0 <= value <= MAX_U64:
+        raise RuntimeError(f"{label} must be a u64 integer")
+    return value
+
+def require_string(value, label):
+    if not isinstance(value, str) or not value:
+        raise RuntimeError(f"{label} must be a non-empty string")
+    return value
+
+def load_keypair(path):
+    if os.path.islink(path):
+        raise OSError(f"Refusing symlinked keypair path: {path}")
+    flags = os.O_RDONLY | getattr(os, "O_NOFOLLOW", 0) | getattr(os, "O_NONBLOCK", 0)
+    fd = os.open(path, flags)
+    with os.fdopen(fd) as f:
+        if not stat.S_ISREG(os.fstat(f.fileno()).st_mode):
+            raise OSError(f"Refusing non-regular keypair path: {path}")
+        os.fchmod(f.fileno(), 0o600)
+        return Keypair.from_bytes(bytes(json.load(f)))
+
+def save_keypair(path, kp):
+    try:
+        destination_mode = os.lstat(path).st_mode
+    except FileNotFoundError:
+        pass
+    else:
+        if stat.S_ISLNK(destination_mode):
+            raise OSError(f"Refusing symlinked keypair path: {path}")
+        if not stat.S_ISREG(destination_mode):
+            raise OSError(f"Refusing non-regular keypair path: {path}")
+    directory = os.path.dirname(path) or "."
+    previous_umask = os.umask(0o077)
+    temp_path = ""
+    fd = -1
+    try:
+        fd, temp_path = tempfile.mkstemp(prefix=f".{os.path.basename(path)}.", dir=directory)
+        os.fchmod(fd, 0o600)
+        with os.fdopen(fd, "w") as f:
+            fd = -1
+            json.dump(list(bytes(kp)), f)
+        os.replace(temp_path, path)
+        temp_path = ""
+    finally:
+        if fd != -1:
+            os.close(fd)
+        if temp_path:
+            try:
+                os.unlink(temp_path)
+            except FileNotFoundError:
+                pass
+        os.umask(previous_umask)
+
+nonce_path = None
+submitted = False
 
 try:
-    with open(os.environ["ANON0MESH_KP_PATH"]) as f:
-        payer = Keypair.from_bytes(bytes(json.load(f)))
+    payer = load_keypair(os.environ["ANON0MESH_KP_PATH"])
 
     nonce_kp   = Keypair()
     nonce_path = os.path.join(SAVE_DIR, f"nonce_{str(nonce_kp.pubkey())[:8]}.json")
-    with open(nonce_path, "w") as f:
-        json.dump(list(bytes(nonce_kp)), f)
+    save_keypair(nonce_path, nonce_kp)
 
     payer_pub = payer.pubkey()
     nonce_pub = nonce_kp.pubkey()
     print(f"  Nonce keypair:  {nonce_pub}", file=sys.stderr)
 
-    rent      = rpc("getMinimumBalanceForRentExemption", [NONCE_LEN])["result"]
+    rent      = require_u64(rpc("getMinimumBalanceForRentExemption", [NONCE_LEN]), "rent")
     print(f"  Rent required:  {rent} lamports", file=sys.stderr)
-    blockhash = rpc("getLatestBlockhash", [])["result"]["value"]["blockhash"]
+    latest    = rpc("getLatestBlockhash", [])
+    try:
+        blockhash = latest["value"]["blockhash"]
+    except (KeyError, TypeError) as exc:
+        raise RuntimeError(f"getLatestBlockhash returned an unexpected result: {exc}") from exc
+    blockhash = require_string(blockhash, "blockhash")
 
     create_ix = create_account(CreateAccountParams(
         from_pubkey = payer_pub,
@@ -828,8 +1052,12 @@ try:
     tx.sign([payer, nonce_kp], bh)
 
     print("  Sending transaction...", file=sys.stderr)
-    sig = rpc("sendTransaction", [base64.b64encode(bytes(tx)).decode(),
-                                  {"encoding": "base64"}])["result"]
+    submitted = True
+    sig = require_string(
+        rpc("sendTransaction", [base64.b64encode(bytes(tx)).decode(),
+                                {"encoding": "base64"}]),
+        "signature",
+    )
 
     # KEY=VALUE to stdout — captured by the shell
     print(f"NONCE_PUBKEY={nonce_pub}")
@@ -839,15 +1067,21 @@ try:
 
 except Exception as exc:
     print(f"ERROR: {exc}", file=sys.stderr)
-    # Remove the saved keypair only if we generated it and the tx failed
-    try:
-        os.remove(nonce_path)
-    except Exception:
-        pass
+    if submitted:
+        print(f"WARNING: transaction submission status is unknown; preserving nonce keypair: {nonce_path}",
+              file=sys.stderr)
+    elif nonce_path is not None:
+        try:
+            os.remove(nonce_path)
+        except Exception:
+            pass
     sys.exit(1)
 PYEOF
-        )
-        _nonce_exit=$?
+        ); then
+          _nonce_exit=0
+        else
+          _nonce_exit=$?
+        fi
 
         if [[ $_nonce_exit -eq 0 ]]; then
           while IFS='=' read -r key val; do
diff --git a/shared.py b/shared.py
index 0515a4b..1c695e9 100644
--- a/shared.py
+++ b/shared.py
@@ -16,9 +16,14 @@
 """
 
 import json
+import os
+import re
+import stat
+import tempfile
 import time
 import zlib
 from typing import Any
+from urllib.parse import urlsplit
 
 # ── App identity (both sides must agree) ───────────────────────────────────────
 APP_NAME      = "anonmesh"
@@ -57,18 +62,194 @@ def build_rpc(method: str, params: list | None = None, req_id: int = 1) -> bytes
 
 def build_response(result: Any = None, error: str | None = None, req_id: int = 1) -> bytes:
     """Encode a JSON-RPC 2.0 response as bytes."""
-    if error:
+    if error is not None:
         payload = {"jsonrpc": "2.0", "id": req_id, "error": {"code": -32000, "message": error}}
     else:
         payload = {"jsonrpc": "2.0", "id": req_id, "result": result}
     return json.dumps(payload).encode("utf-8")
 
 
-def decode_json(raw: bytes) -> dict:
+def decode_json(raw: bytes) -> Any:
     """Safely decode JSON bytes."""
     return json.loads(raw.decode("utf-8"))
 
 
+def decode_rpc_response(raw: bytes) -> dict:
+    """Decode a JSON-RPC response object containing exactly one outcome."""
+    parsed = decode_json(raw)
+    if (
+        not isinstance(parsed, dict)
+        or ("result" in parsed) == ("error" in parsed)
+    ):
+        raise ValueError("expected JSON-RPC response object with one outcome")
+    return parsed
+
+
+def redact_url(url: str | None) -> str:
+    """Return a log-safe endpoint label without credentials, path tokens, or query params."""
+    if not isinstance(url, str):
+        return "<redacted-rpc-url>"
+    try:
+        parts = urlsplit(url)
+        host = parts.hostname
+        if not parts.scheme or not host:
+            return "<redacted-rpc-url>"
+        if ":" in host:
+            host = f"[{host}]"
+        port = f":{parts.port}" if parts.port else ""
+    except ValueError:
+        return "<redacted-rpc-url>"
+
+    suffix = "/..." if (
+        parts.username or parts.password or parts.path not in ("", "/")
+        or parts.query or parts.fragment
+    ) else ""
+    return f"{parts.scheme}://{host}{port}{suffix}"
+
+
+_URL_RE = re.compile(r"""https?://[^\s'"`]+""")
+
+
+def redact_urls(text: str) -> str:
+    """Redact embedded HTTP(S) endpoints in diagnostic text."""
+    return _URL_RE.sub(lambda match: redact_url(match.group(0)), text)
+
+
+_TERMINAL_CONTROL_RE = re.compile(r"[\x00-\x1f\x7f-\x9f]")
+
+
+def terminal_safe_text(value: Any, max_length: int = 4096) -> str:
+    """Escape terminal control bytes before rendering untrusted text."""
+    text = _TERMINAL_CONTROL_RE.sub(
+        lambda match: f"\\x{ord(match.group(0)):02x}",
+        str(value),
+    )
+    if len(text) > max_length:
+        return f"{text[:max_length]}... [truncated]"
+    return text
+
+
+def rpc_error_message(error: Any, default: str = "?") -> str:
+    """Format a JSON-RPC error whether the peer returned an object or scalar."""
+    if isinstance(error, dict):
+        return terminal_safe_text(error.get("message", error))
+    if error is None:
+        return terminal_safe_text(default)
+    return terminal_safe_text(error)
+
+
+def positive_int(raw_value: str) -> int:
+    """Parse a command-line integer that must be greater than zero."""
+    value = int(raw_value)
+    if value <= 0:
+        raise ValueError("expected a positive integer")
+    return value
+
+
+def is_u64(value: Any) -> bool:
+    """Return whether value can be represented as an unsigned Solana u64."""
+    return isinstance(value, int) and not isinstance(value, bool) and 0 <= value < 1 << 64
+
+
+# ── Private local files ──────────────────────────────────────────────────────
+
+def _open_private_regular_fd(path: str | os.PathLike[str]) -> int:
+    """Open a private regular file without following its final path component."""
+    path_str = os.fspath(path)
+    if os.path.islink(path_str):
+        raise OSError(f"Refusing symlinked private file: {path_str}")
+    flags = os.O_RDONLY | getattr(os, "O_NOFOLLOW", 0) | getattr(os, "O_NONBLOCK", 0)
+    fd = os.open(path_str, flags)
+    try:
+        if not stat.S_ISREG(os.fstat(fd).st_mode):
+            raise OSError(f"Refusing non-regular private file: {path_str}")
+        return fd
+    except Exception:
+        os.close(fd)
+        raise
+
+
+def restrict_private_file_permissions(path: str | os.PathLike[str]) -> bool:
+    """Best-effort repair of an existing regular private file to owner-only permissions."""
+    try:
+        fd = _open_private_regular_fd(path)
+    except OSError:
+        return False
+    try:
+        os.fchmod(fd, 0o600)
+        return True
+    finally:
+        os.close(fd)
+
+
+def read_private_file(path: str | os.PathLike[str], max_bytes: int = 1024 * 1024) -> bytes:
+    """Read a bounded regular private file after repairing owner-only permissions."""
+    fd = _open_private_regular_fd(path)
+    try:
+        os.fchmod(fd, 0o600)
+        with os.fdopen(fd, "rb") as private_file:
+            fd = -1
+            data = private_file.read(max_bytes + 1)
+    finally:
+        if fd != -1:
+            os.close(fd)
+    if len(data) > max_bytes:
+        raise OSError(f"Private file exceeds {max_bytes} byte limit: {os.fspath(path)}")
+    return data
+
+
+def save_private_identity(identity: Any, path: str) -> None:
+    """Atomically persist an RNS identity without following a destination symlink."""
+    directory = os.path.dirname(path) or "."
+    prefix = f".{os.path.basename(path)}."
+    previous_umask = os.umask(0o077)
+    fd = -1
+    temp_path = ""
+    try:
+        fd, temp_path = tempfile.mkstemp(prefix=prefix, dir=directory)
+        os.close(fd)
+        fd = -1
+        if identity.to_file(temp_path) is False:
+            raise OSError("Could not save RNS identity")
+        if not restrict_private_file_permissions(temp_path):
+            raise OSError("Could not secure RNS identity")
+        os.replace(temp_path, path)
+        temp_path = ""
+    finally:
+        if fd != -1:
+            os.close(fd)
+        if temp_path:
+            try:
+                os.unlink(temp_path)
+            except FileNotFoundError:
+                pass
+        os.umask(previous_umask)
+    if not restrict_private_file_permissions(path):
+        raise OSError("Could not secure RNS identity")
+
+
+_ENV_KEY_RE = re.compile(r"[A-Za-z_][A-Za-z0-9_]*")
+
+
+def load_dotenv_private(path: str | os.PathLike[str]) -> None:
+    """Load simple KEY=VALUE entries after restricting the credential file."""
+    try:
+        text = read_private_file(path).decode("utf-8")
+    except FileNotFoundError:
+        return
+    except (OSError, UnicodeDecodeError) as exc:
+        log_warn(f"Could not load private env file: {exc}")
+        return
+    for line in text.splitlines():
+        line = line.strip()
+        if line and not line.startswith("#") and "=" in line:
+            key, value = line.split("=", 1)
+            key = key.strip()
+            value = value.strip()
+            if _ENV_KEY_RE.fullmatch(key) and "\x00" not in value:
+                os.environ.setdefault(key, value)
+
+
 # ── Mesh payload compression ─────────────────────────────────────────────────
 # Solana RPC responses are typically 1–10 KB of JSON.  LoRa links have ~1.2 kbps
 # throughput with a Reticulum MTU of ~465 bytes.  Compressing before transmission
@@ -79,6 +260,31 @@ def decode_json(raw: bytes) -> dict:
 # Receivers call decompress_response() which handles both cases transparently.
 
 _COMPRESS_MAGIC = b"\x00zl"
+MAX_MESH_REQUEST_BYTES = 256 * 1024
+MAX_MESH_RESPONSE_BYTES = 1024 * 1024
+MAX_RENDERED_LOG_LINES = 100
+MAX_RENDERED_TOKEN_ACCOUNTS = 100
+
+
+class ResponseSizeLimitError(ValueError):
+    """Raised when an upstream response exceeds a configured byte ceiling."""
+
+
+def read_limited_http_body(response: Any, max_bytes: int) -> bytes:
+    """Read a streamed HTTP response without buffering beyond max_bytes."""
+    chunks = []
+    total = 0
+    for chunk in response.iter_content(chunk_size=64 * 1024):
+        if not chunk:
+            continue
+        if not isinstance(chunk, bytes):
+            raise TypeError("HTTP response chunk must be bytes")
+        total += len(chunk)
+        if total > max_bytes:
+            raise ResponseSizeLimitError(f"HTTP response exceeds {max_bytes} byte limit")
+        chunks.append(chunk)
+    return b"".join(chunks)
+
 
 def compress_response(data: bytes) -> bytes:
     """Compress a response payload with zlib if it saves space."""
@@ -89,8 +295,20 @@ def compress_response(data: bytes) -> bytes:
 
 def decompress_response(data: bytes) -> bytes:
     """Decompress a response payload. Passes through uncompressed data."""
+    if len(data) > MAX_MESH_RESPONSE_BYTES:
+        raise ValueError("Response exceeds size limit")
     if data[:3] == _COMPRESS_MAGIC:
-        return zlib.decompress(data[3:])
+        decompressor = zlib.decompressobj()
+        raw = decompressor.decompress(
+            data[3:], MAX_MESH_RESPONSE_BYTES + 1)
+        if len(raw) > MAX_MESH_RESPONSE_BYTES or decompressor.unconsumed_tail:
+            raise ValueError("Compressed response exceeds expanded size limit")
+        raw += decompressor.flush(MAX_MESH_RESPONSE_BYTES + 1 - len(raw))
+        if len(raw) > MAX_MESH_RESPONSE_BYTES:
+            raise ValueError("Compressed response exceeds expanded size limit")
+        if not decompressor.eof or decompressor.unused_data:
+            raise ValueError("Compressed response is malformed")
+        return raw
     return data
 
 
@@ -129,12 +347,12 @@ def set_quiet(quiet: bool) -> None:
 
 def log_info(msg: str)  -> None:
     if not _quiet_mode:
-        print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {CYAN}ℹ {msg}{RESET}")
+        print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {CYAN}ℹ {terminal_safe_text(msg)}{RESET}")
 
-def log_ok(msg: str)    -> None: print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {GREEN}✔ {msg}{RESET}")
-def log_warn(msg: str)  -> None: print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {YELLOW}⚠ {msg}{RESET}")
-def log_err(msg: str)   -> None: print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {RED}✘ {msg}{RESET}")
+def log_ok(msg: str)    -> None: print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {GREEN}✔ {terminal_safe_text(msg)}{RESET}")
+def log_warn(msg: str)  -> None: print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {YELLOW}⚠ {terminal_safe_text(msg)}{RESET}")
+def log_err(msg: str)   -> None: print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {RED}✘ {terminal_safe_text(msg)}{RESET}")
 
 def log_tx(msg: str)    -> None:
     if not _quiet_mode:
-        print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {BOLD}➤ {msg}{RESET}")
+        print(f"{DIM}[{time.strftime('%H:%M:%S')}]{RESET} {BOLD}➤ {terminal_safe_text(msg)}{RESET}")
diff --git a/tests/test_arcium_client.py b/tests/test_arcium_client.py
index 934ca97..a320cf7 100644
--- a/tests/test_arcium_client.py
+++ b/tests/test_arcium_client.py
@@ -3,7 +3,9 @@
 Shim subprocess calls are mocked; no Node.js required.
 """
 
+import asyncio
 import json
+import stat
 from pathlib import Path
 from unittest.mock import patch, MagicMock
 
@@ -21,6 +23,39 @@ def _proc(stdout: str, returncode: int = 0, stderr: str = "") -> MagicMock:
     return m
 
 
+def _encrypt_payload() -> dict:
+    return {
+        "ok": True,
+        "ciphertexts": [[1] * 32],
+        "pubkey_hex": "ab" * 32,
+        "nonce_hex": "cd" * 16,
+        "nonce_bn": "123",
+        "shared_secret_hex": "ef" * 32,
+    }
+
+
+VALID_HEX_32 = "ab" * 32
+VALID_HEX_16 = "cd" * 16
+VALID_CIPHERTEXT = [1] * 32
+VALID_PUBKEY = "11111111111111111111111111111111"
+
+
+def _payment_client(rpc_url: str = "https://rpc.example.test"):
+    client = object.__new__(arcium_client.ArciumBeaconClient)
+    client.rpc_url = rpc_url
+    client.program_id = arcium_client.MXE_PROGRAM_ID
+    client._payer_hex = "00"
+    client._payer_b58 = VALID_PUBKEY
+    client.mxe_pubkey_hex = VALID_HEX_32
+    client.cluster_offset = 456
+    return client
+
+
+def _clear_optional_payment_accounts(monkeypatch):
+    monkeypatch.delenv("ARCIUM_BROADCASTER_TOKEN_ACCOUNT", raising=False)
+    monkeypatch.delenv("ARCIUM_TREASURY_TOKEN_ACCOUNT", raising=False)
+
+
 # ── _run_shim ─────────────────────────────────────────────────────────────────
 
 def test_run_shim_missing_file(tmp_path):
@@ -49,6 +84,16 @@ def test_run_shim_ok_false_raises(mock_run, tmp_path):
             arcium_client._run_shim("encrypt", "arg1")
 
 
+@patch("subprocess.run")
+def test_run_shim_nonzero_exit_rejects_ok_response(mock_run, tmp_path):
+    shim = tmp_path / "rescue_shim.mjs"
+    shim.touch()
+    with patch.object(arcium_client, "SHIM_PATH", shim):
+        mock_run.return_value = _proc(json.dumps({"ok": True}), returncode=1)
+        with pytest.raises(RuntimeError, match=r"shim error \(exit 1\)"):
+            arcium_client._run_shim("keygen")
+
+
 @patch("subprocess.run")
 def test_run_shim_non_json_stdout_raises(mock_run, tmp_path):
     shim = tmp_path / "rescue_shim.mjs"
@@ -59,6 +104,16 @@ def test_run_shim_non_json_stdout_raises(mock_run, tmp_path):
             arcium_client._run_shim("broken")
 
 
+@patch("subprocess.run")
+def test_run_shim_non_object_json_raises(mock_run, tmp_path):
+    shim = tmp_path / "rescue_shim.mjs"
+    shim.touch()
+    with patch.object(arcium_client, "SHIM_PATH", shim):
+        mock_run.return_value = _proc("[]")
+        with pytest.raises(RuntimeError, match="shim returned non-object JSON"):
+            arcium_client._run_shim("broken")
+
+
 @patch("subprocess.run")
 def test_run_shim_falls_back_to_stderr_in_error_msg(mock_run, tmp_path):
     shim = tmp_path / "rescue_shim.mjs"
@@ -69,6 +124,20 @@ def test_run_shim_falls_back_to_stderr_in_error_msg(mock_run, tmp_path):
             arcium_client._run_shim("cmd")
 
 
+@patch("subprocess.run")
+def test_run_shim_redacts_url_in_non_json_error(mock_run, tmp_path):
+    shim = tmp_path / "rescue_shim.mjs"
+    shim.touch()
+    secret_url = "https://user:pass@rpc.example.test/private?api-key=secret"
+    with patch.object(arcium_client, "SHIM_PATH", shim):
+        mock_run.return_value = _proc("", returncode=1, stderr=f"request to {secret_url} failed")
+        with pytest.raises(RuntimeError) as exc_info:
+            arcium_client._run_shim("cmd")
+    assert "https://rpc.example.test/..." in str(exc_info.value)
+    assert "user:pass" not in str(exc_info.value)
+    assert "secret" not in str(exc_info.value)
+
+
 @patch("subprocess.run")
 def test_run_shim_passes_stdin_data(mock_run, tmp_path):
     shim = tmp_path / "rescue_shim.mjs"
@@ -93,48 +162,82 @@ def test_run_shim_no_stdin_when_not_provided(mock_run, tmp_path):
 
 @patch("arcium_client._run_shim")
 def test_rescue_keygen_calls_keygen(mock_shim):
-    mock_shim.return_value = {"ok": True, "privkey_hex": "aabb", "pubkey_hex": "ccdd"}
+    mock_shim.return_value = {"ok": True, "privkey_hex": "aa" * 32, "pubkey_hex": "cc" * 32}
     priv, pub = arcium_client.rescue_keygen()
     mock_shim.assert_called_once_with("keygen")
-    assert priv == "aabb"
-    assert pub == "ccdd"
+    assert priv == "aa" * 32
+    assert pub == "cc" * 32
+
+
+@patch("arcium_client._run_shim")
+def test_rescue_keygen_rejects_invalid_keys(mock_shim):
+    mock_shim.return_value = {"ok": True, "privkey_hex": [], "pubkey_hex": "ccdd"}
+    with pytest.raises(ValueError, match="invalid keys"):
+        arcium_client.rescue_keygen()
 
 
 # ── rescue_encrypt ────────────────────────────────────────────────────────────
 
 @patch("arcium_client._run_shim")
-def test_rescue_encrypt_passes_mxe_pubkey_and_values(mock_shim):
-    mock_shim.return_value = {
-        "ok": True, "ciphertexts": [[1, 2]], "pubkey_hex": "ab",
-        "nonce_hex": "cd", "nonce_bn": "123", "shared_secret_hex": "ef",
-    }
-    arcium_client.rescue_encrypt("mxe_pubkey_hex", [999])
+def test_rescue_encrypt_passes_mxe_pubkey_and_values_via_stdin(mock_shim):
+    mock_shim.return_value = _encrypt_payload()
+    arcium_client.rescue_encrypt(VALID_HEX_32, [999])
     args = mock_shim.call_args[0]
     assert args[0] == "encrypt"
-    assert args[1] == "mxe_pubkey_hex"
-    assert json.loads(args[2]) == [999]
+    assert args[1] == VALID_HEX_32
+    assert len(args) == 2
+    assert json.loads(mock_shim.call_args.kwargs["stdin_data"]) == [999]
 
 
 @patch("arcium_client._run_shim")
 def test_rescue_encrypt_with_nonce_appends_arg(mock_shim):
-    mock_shim.return_value = {
-        "ok": True, "ciphertexts": [], "pubkey_hex": "ab",
-        "nonce_hex": "aabbcc", "nonce_bn": "0", "shared_secret_hex": "ef",
-    }
-    arcium_client.rescue_encrypt("mxe", [1], nonce_hex="aabbcc")
+    mock_shim.return_value = _encrypt_payload()
+    arcium_client.rescue_encrypt(VALID_HEX_32, [1], nonce_hex=VALID_HEX_16)
     args = mock_shim.call_args[0]
-    assert "aabbcc" in args
+    assert args == ("encrypt", VALID_HEX_32, VALID_HEX_16)
+    assert json.loads(mock_shim.call_args.kwargs["stdin_data"]) == [1]
 
 
 @patch("arcium_client._run_shim")
 def test_rescue_encrypt_without_nonce_omits_arg(mock_shim):
-    mock_shim.return_value = {
-        "ok": True, "ciphertexts": [], "pubkey_hex": "ab",
-        "nonce_hex": "cd", "nonce_bn": "0", "shared_secret_hex": "ef",
-    }
-    arcium_client.rescue_encrypt("mxe", [1])
+    mock_shim.return_value = _encrypt_payload()
+    arcium_client.rescue_encrypt(VALID_HEX_32, [1])
     args = mock_shim.call_args[0]
-    assert len(args) == 3  # "encrypt", mxe_pubkey, values_json
+    assert args == ("encrypt", VALID_HEX_32)
+    assert json.loads(mock_shim.call_args.kwargs["stdin_data"]) == [1]
+
+
+@pytest.mark.parametrize("field, value", [
+    ("ciphertexts", [[1] * 31]),
+    ("pubkey_hex", "ab" * 31),
+    ("nonce_hex", "cd" * 15),
+    ("nonce_bn", "9" * 100_000),
+    ("nonce_bn", "١"),
+    ("shared_secret_hex", "ef" * 31),
+])
+@patch("arcium_client._run_shim")
+def test_rescue_encrypt_rejects_invalid_payload(mock_shim, field, value):
+    payload = _encrypt_payload()
+    payload[field] = value
+    mock_shim.return_value = payload
+    with pytest.raises(ValueError, match="invalid payload"):
+        arcium_client.rescue_encrypt(VALID_HEX_32, [1])
+
+
+@pytest.mark.parametrize("mxe_pubkey, values, nonce", [
+    ("bad", [1], None),
+    (VALID_HEX_32, [], None),
+    (VALID_HEX_32, [True], None),
+    (VALID_HEX_32, [-1], None),
+    (VALID_HEX_32, [1 << 256], None),
+    (VALID_HEX_32, [1] * 101, None),
+    (VALID_HEX_32, [1], "bad"),
+])
+@patch("arcium_client._run_shim")
+def test_rescue_encrypt_rejects_invalid_request_without_running_shim(mock_shim, mxe_pubkey, values, nonce):
+    with pytest.raises(ValueError, match="invalid encrypt request"):
+        arcium_client.rescue_encrypt(mxe_pubkey, values, nonce)
+    mock_shim.assert_not_called()
 
 
 # ── rescue_decrypt ────────────────────────────────────────────────────────────
@@ -142,56 +245,169 @@ def test_rescue_encrypt_without_nonce_omits_arg(mock_shim):
 @patch("arcium_client._run_shim")
 def test_rescue_decrypt_passes_secret_via_stdin(mock_shim):
     mock_shim.return_value = {"ok": True, "values": ["100", "200"]}
-    arcium_client.rescue_decrypt("my_shared_secret", [[1, 2, 3]], "nonce_hex")
-    assert mock_shim.call_args[1]["stdin_data"] == "my_shared_secret"
+    arcium_client.rescue_decrypt(VALID_HEX_32, [VALID_CIPHERTEXT] * 2, VALID_HEX_16)
+    assert mock_shim.call_args[1]["stdin_data"] == VALID_HEX_32
 
 
 @patch("arcium_client._run_shim")
 def test_rescue_decrypt_returns_ints(mock_shim):
     mock_shim.return_value = {"ok": True, "values": ["42", "0", "999"]}
-    result = arcium_client.rescue_decrypt("secret", [[]], "nonce")
+    result = arcium_client.rescue_decrypt(VALID_HEX_32, [VALID_CIPHERTEXT] * 3, VALID_HEX_16)
     assert result == [42, 0, 999]
     assert all(isinstance(v, int) for v in result)
 
 
 @patch("arcium_client._run_shim")
-def test_rescue_decrypt_passes_ciphertexts_and_nonce_as_args(mock_shim):
-    mock_shim.return_value = {"ok": True, "values": []}
-    ciphertexts = [[1, 2, 3], [4, 5, 6]]
-    arcium_client.rescue_decrypt("secret", ciphertexts, "my_nonce")
+def test_rescue_decrypt_rejects_empty_ciphertexts_without_running_shim(mock_shim):
+    ciphertexts = []
+    with pytest.raises(ValueError, match="invalid decrypt request"):
+        arcium_client.rescue_decrypt(VALID_HEX_32, ciphertexts, VALID_HEX_16)
+    mock_shim.assert_not_called()
+
+
+@patch("arcium_client._run_shim")
+def test_rescue_decrypt_passes_valid_ciphertexts_and_nonce_as_args(mock_shim):
+    mock_shim.return_value = {"ok": True, "values": ["1", "2"]}
+    ciphertexts = [VALID_CIPHERTEXT, [2] * 32]
+    arcium_client.rescue_decrypt(VALID_HEX_32, ciphertexts, VALID_HEX_16)
     args = mock_shim.call_args[0]
     assert args[0] == "decrypt"
     assert json.loads(args[1]) == ciphertexts
-    assert args[2] == "my_nonce"
+    assert args[2] == VALID_HEX_16
+
+
+@pytest.mark.parametrize("values", [None, "42", [True], ["-1"], [{}], ["9" * 100_000], ["١"]])
+@patch("arcium_client._run_shim")
+def test_rescue_decrypt_rejects_invalid_values(mock_shim, values):
+    mock_shim.return_value = {"ok": True, "values": values}
+    with pytest.raises(ValueError, match="invalid values"):
+        arcium_client.rescue_decrypt(VALID_HEX_32, [VALID_CIPHERTEXT], VALID_HEX_16)
+
+
+@pytest.mark.parametrize("secret, ciphertexts, nonce", [
+    ("bad", [VALID_CIPHERTEXT], VALID_HEX_16),
+    (VALID_HEX_32, [], VALID_HEX_16),
+    (VALID_HEX_32, [[1] * 31], VALID_HEX_16),
+    (VALID_HEX_32, [[256] * 32], VALID_HEX_16),
+    (VALID_HEX_32, [VALID_CIPHERTEXT] * 101, VALID_HEX_16),
+    (VALID_HEX_32, [VALID_CIPHERTEXT], "bad"),
+])
+@patch("arcium_client._run_shim")
+def test_rescue_decrypt_rejects_invalid_request_without_running_shim(mock_shim, secret, ciphertexts, nonce):
+    with pytest.raises(ValueError, match="invalid decrypt request"):
+        arcium_client.rescue_decrypt(secret, ciphertexts, nonce)
+    mock_shim.assert_not_called()
 
 
 # ── rescue_shared_secret ──────────────────────────────────────────────────────
 
 @patch("arcium_client._run_shim")
 def test_rescue_shared_secret_passes_privkey_via_stdin(mock_shim):
-    mock_shim.return_value = {"ok": True, "shared_secret_hex": "deadbeef"}
-    arcium_client.rescue_shared_secret("my_privkey", "mxe_pubkey")
-    assert mock_shim.call_args[1]["stdin_data"] == "my_privkey"
+    mock_shim.return_value = {"ok": True, "shared_secret_hex": "de" * 32}
+    arcium_client.rescue_shared_secret(VALID_HEX_32, VALID_HEX_32)
+    assert mock_shim.call_args[1]["stdin_data"] == VALID_HEX_32
 
 
 @patch("arcium_client._run_shim")
 def test_rescue_shared_secret_passes_mxe_pubkey_as_arg(mock_shim):
-    mock_shim.return_value = {"ok": True, "shared_secret_hex": "deadbeef"}
-    arcium_client.rescue_shared_secret("privkey", "mxe_pubkey")
+    mock_shim.return_value = {"ok": True, "shared_secret_hex": "de" * 32}
+    arcium_client.rescue_shared_secret(VALID_HEX_32, VALID_HEX_32)
     args = mock_shim.call_args[0]
     assert args[0] == "shared_secret"
-    assert args[1] == "mxe_pubkey"
+    assert args[1] == VALID_HEX_32
 
 
 @patch("arcium_client._run_shim")
 def test_rescue_shared_secret_returns_hex(mock_shim):
-    mock_shim.return_value = {"ok": True, "shared_secret_hex": "cafebabe"}
-    result = arcium_client.rescue_shared_secret("priv", "pub")
-    assert result == "cafebabe"
+    mock_shim.return_value = {"ok": True, "shared_secret_hex": "ca" * 32}
+    result = arcium_client.rescue_shared_secret(VALID_HEX_32, VALID_HEX_32)
+    assert result == "ca" * 32
+
+
+@patch("arcium_client._run_shim")
+def test_rescue_shared_secret_rejects_invalid_key(mock_shim):
+    mock_shim.return_value = {"ok": True, "shared_secret_hex": []}
+    with pytest.raises(ValueError, match="invalid key"):
+        arcium_client.rescue_shared_secret(VALID_HEX_32, VALID_HEX_32)
+
+
+@patch("arcium_client._run_shim")
+def test_rescue_shared_secret_rejects_invalid_request_without_running_shim(mock_shim):
+    with pytest.raises(ValueError, match="invalid shared_secret request"):
+        arcium_client.rescue_shared_secret("bad", VALID_HEX_32)
+    mock_shim.assert_not_called()
+
+
+@patch("arcium_client._run_shim")
+def test_log_payment_stats_redacts_shim_error(mock_shim, monkeypatch, capsys):
+    secret_url = "https://user:pass@rpc.example.test/private?api-key=secret"
+    mock_shim.side_effect = RuntimeError(f"request to {secret_url} failed")
+    _clear_optional_payment_accounts(monkeypatch)
+    client = _payment_client(secret_url)
+
+    result = asyncio.run(client.log_payment_stats(
+        1, VALID_PUBKEY, VALID_PUBKEY, VALID_PUBKEY, VALID_PUBKEY,
+    ))
+
+    assert result["message"] == "request to https://rpc.example.test/... failed"
+    assert "user:pass" not in capsys.readouterr().out
+    assert "secret" not in result["message"]
+
+
+@pytest.mark.parametrize("signature", [None, "", [], True])
+@patch("arcium_client._run_shim")
+def test_log_payment_stats_rejects_invalid_shim_signature(mock_shim, signature, monkeypatch):
+    mock_shim.return_value = {"signature": signature}
+    _clear_optional_payment_accounts(monkeypatch)
+    client = _payment_client()
+
+    result = asyncio.run(client.log_payment_stats(
+        1, VALID_PUBKEY, VALID_PUBKEY, VALID_PUBKEY, VALID_PUBKEY,
+    ))
+
+    assert result == {
+        "status": "error",
+        "message": "shim execute_payment returned an invalid signature",
+    }
+
+
+@patch("arcium_client._run_shim")
+def test_log_payment_stats_rejects_invalid_metadata_without_running_shim(mock_shim, monkeypatch):
+    _clear_optional_payment_accounts(monkeypatch)
+    client = _payment_client()
+
+    result = asyncio.run(client.log_payment_stats(
+        1, "not-a-pubkey", VALID_PUBKEY, VALID_PUBKEY, VALID_PUBKEY,
+    ))
+
+    assert result == {"status": "error", "message": "invalid Arcium payment metadata"}
+    mock_shim.assert_not_called()
 
 
 # ── ArciumBeacon (disabled path) ──────────────────────────────────────────────
 
+@pytest.mark.parametrize("kwargs", [
+    {"rpc_url": ""},
+    {"mxe_pubkey_hex": "ab"},
+    {"cluster_offset": -1},
+    {"cluster_offset": 1 << 32},
+    {"program_id": "not-a-pubkey"},
+])
+def test_arcium_client_rejects_invalid_configuration(monkeypatch, kwargs):
+    monkeypatch.setattr(arcium_client, "HAS_SOLANA", True)
+    values = {
+        "rpc_url": "https://rpc.example.test",
+        "payer_keypair": MagicMock(),
+        "mxe_pubkey_hex": VALID_HEX_32,
+        "cluster_offset": 456,
+        "program_id": arcium_client.MXE_PROGRAM_ID,
+    }
+    values.update(kwargs)
+
+    with pytest.raises(ValueError):
+        arcium_client.ArciumBeaconClient(**values)
+
+
 def test_arcium_beacon_disabled_when_env_not_set(monkeypatch):
     monkeypatch.setenv("ARCIUM_ENABLED", "0")
     beacon = arcium_client.ArciumBeacon.from_env()
@@ -201,6 +417,27 @@ def test_arcium_beacon_disabled_when_env_not_set(monkeypatch):
 def test_arcium_beacon_none_client_is_disabled():
     beacon = arcium_client.ArciumBeacon(None)
     assert not beacon.enabled
+    assert beacon._loop is None
+    assert beacon._thread is None
+
+
+def test_arcium_beacon_failed_connect_closes_client_and_stops_loop():
+    class FailingClient:
+        closed = False
+
+        async def connect(self):
+            raise RuntimeError("rpc unavailable")
+
+        async def close(self):
+            self.closed = True
+
+    client = FailingClient()
+    beacon = arcium_client.ArciumBeacon(client)
+
+    assert not beacon.enabled
+    assert client.closed
+    assert not beacon._thread.is_alive()
+    assert beacon._loop.is_closed()
 
 
 def test_arcium_beacon_log_payment_stats_returns_none_when_disabled():
@@ -223,6 +460,68 @@ def test_arcium_beacon_from_env_no_solana_package_disables(monkeypatch):
     assert not beacon.enabled
 
 
+def test_arcium_beacon_from_env_repairs_payer_permissions(tmp_path, monkeypatch):
+    path = tmp_path / "payer.json"
+    path.write_text("[1, 2, 3]")
+    path.chmod(0o666)
+    keypair_type = MagicMock()
+    keypair_type.from_bytes.return_value = object()
+    monkeypatch.setenv("ARCIUM_ENABLED", "1")
+    monkeypatch.setenv("ARCIUM_PAYER_KEYPAIR", str(path))
+    monkeypatch.setenv("ARCIUM_MXE_PUBKEY_HEX", VALID_HEX_32)
+    monkeypatch.setenv("ARCIUM_CLUSTER_OFFSET", "456")
+    monkeypatch.setattr(arcium_client, "HAS_SOLANA", True)
+    monkeypatch.setattr(arcium_client, "Keypair", keypair_type)
+
+    with (
+        patch.object(arcium_client, "ArciumBeaconClient", return_value=object()),
+        patch.object(arcium_client.ArciumBeacon, "__init__", return_value=None),
+    ):
+        arcium_client.ArciumBeacon.from_env()
+
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+    keypair_type.from_bytes.assert_called_once_with(bytes([1, 2, 3]))
+
+
+def test_arcium_beacon_from_env_refuses_symlinked_payer_without_chmod_target(
+    tmp_path, monkeypatch, capsys,
+):
+    target = tmp_path / "payer.json"
+    target.write_text("[1, 2, 3]")
+    target.chmod(0o666)
+    path = tmp_path / "payer-link.json"
+    path.symlink_to(target)
+    monkeypatch.setenv("ARCIUM_ENABLED", "1")
+    monkeypatch.setenv("ARCIUM_PAYER_KEYPAIR", str(path))
+    monkeypatch.setenv("ARCIUM_MXE_PUBKEY_HEX", VALID_HEX_32)
+    monkeypatch.setattr(arcium_client, "HAS_SOLANA", True)
+
+    beacon = arcium_client.ArciumBeacon.from_env()
+
+    assert not beacon.enabled
+    assert stat.S_IMODE(target.stat().st_mode) == 0o666
+    assert "Arcium env error" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("offset", ["not-an-int", "-1", str(1 << 32)])
+def test_arcium_beacon_from_env_invalid_cluster_offset_disables(tmp_path, monkeypatch, offset, capsys):
+    path = tmp_path / "payer.json"
+    path.write_text("[1, 2, 3]")
+    keypair_type = MagicMock()
+    keypair_type.from_bytes.return_value = object()
+    monkeypatch.setenv("ARCIUM_ENABLED", "1")
+    monkeypatch.setenv("ARCIUM_PAYER_KEYPAIR", str(path))
+    monkeypatch.setenv("ARCIUM_MXE_PUBKEY_HEX", VALID_HEX_32)
+    monkeypatch.setenv("ARCIUM_CLUSTER_OFFSET", offset)
+    monkeypatch.setattr(arcium_client, "HAS_SOLANA", True)
+    monkeypatch.setattr(arcium_client, "Keypair", keypair_type)
+
+    beacon = arcium_client.ArciumBeacon.from_env()
+
+    assert not beacon.enabled
+    assert "Arcium env error" in capsys.readouterr().out
+
+
 # ── constants ─────────────────────────────────────────────────────────────────
 
 def test_mxe_program_id_is_idl_address():
diff --git a/tests/test_client.py b/tests/test_client.py
new file mode 100644
index 0000000..0e2ea26
--- /dev/null
+++ b/tests/test_client.py
@@ -0,0 +1,90 @@
+"""Focused tests for one-shot client helpers."""
+
+import builtins
+import importlib.util
+import sys
+import types
+from pathlib import Path
+from unittest.mock import MagicMock
+
+import pytest
+
+
+@pytest.fixture
+def client_module(monkeypatch):
+    mesh = types.ModuleType("mesh")
+    mesh.BeaconPool = object
+    mesh.BeaconAnnounceHandler = object
+    mesh.start_reticulum = lambda *_: None
+    mesh.connect_all_parallel = lambda *_: 0
+    monkeypatch.setitem(sys.modules, "mesh", mesh)
+
+    path = Path(__file__).parents[1] / "client.py"
+    spec = importlib.util.spec_from_file_location("client_under_test", path)
+    assert spec is not None and spec.loader is not None
+    module = importlib.util.module_from_spec(spec)
+    spec.loader.exec_module(module)
+    return module
+
+
+def test_relay_requested_accepts_yes(monkeypatch, client_module):
+    monkeypatch.setattr(builtins, "input", lambda *_: "y")
+    assert client_module._relay_requested()
+
+
+def test_relay_requested_declines_on_eof(monkeypatch, client_module):
+    def raise_eof(*_):
+        raise EOFError
+
+    monkeypatch.setattr(builtins, "input", raise_eof)
+    assert not client_module._relay_requested()
+
+
+def test_relay_requested_declines_on_interrupt(monkeypatch, client_module):
+    def raise_interrupt(*_):
+        raise KeyboardInterrupt
+
+    monkeypatch.setattr(builtins, "input", raise_interrupt)
+    assert not client_module._relay_requested()
+
+
+def test_timeout_accepts_positive_integer(client_module):
+    assert client_module._build_parser().parse_args(["--timeout", "15"]).timeout == 15
+
+
+@pytest.mark.parametrize("value", ["0", "-1", "not-a-number"])
+def test_timeout_rejects_non_positive_or_invalid_integer(client_module, value):
+    with pytest.raises(SystemExit):
+        client_module._build_parser().parse_args(["--timeout", value])
+
+
+def test_setup_beacons_waits_for_discovery_after_explicit_connect_failure(monkeypatch, client_module):
+    pool = MagicMock()
+    pool.active_links.return_value = []
+    pool.status_table.return_value = ""
+    wait = MagicMock()
+    monkeypatch.setattr(client_module.state, "pool", pool)
+    monkeypatch.setattr(client_module, "BeaconAnnounceHandler", MagicMock(return_value=object()))
+    monkeypatch.setattr(client_module, "_connect_beacons", MagicMock())
+    monkeypatch.setattr(client_module, "_wait_for_discover_beacon", wait)
+    args = types.SimpleNamespace(discover=True, beacon=["a" * 32])
+
+    client_module._setup_beacons(args, one_shot=True)
+
+    wait.assert_called_once_with()
+
+
+def test_setup_beacons_skips_discovery_wait_when_explicit_link_is_active(monkeypatch, client_module):
+    pool = MagicMock()
+    pool.active_links.return_value = [object()]
+    pool.status_table.return_value = ""
+    wait = MagicMock()
+    monkeypatch.setattr(client_module.state, "pool", pool)
+    monkeypatch.setattr(client_module, "BeaconAnnounceHandler", MagicMock(return_value=object()))
+    monkeypatch.setattr(client_module, "_connect_beacons", MagicMock())
+    monkeypatch.setattr(client_module, "_wait_for_discover_beacon", wait)
+    args = types.SimpleNamespace(discover=True, beacon=["a" * 32])
+
+    client_module._setup_beacons(args, one_shot=True)
+
+    wait.assert_not_called()
diff --git a/tests/test_demo_durable_nonce_relay.py b/tests/test_demo_durable_nonce_relay.py
new file mode 100644
index 0000000..0d487dd
--- /dev/null
+++ b/tests/test_demo_durable_nonce_relay.py
@@ -0,0 +1,151 @@
+"""Focused response-validation tests for the durable nonce demo."""
+
+import importlib.util
+import stat
+import sys
+import types
+from pathlib import Path
+from unittest.mock import MagicMock
+
+import pytest
+from solders.keypair import Keypair
+
+import state
+
+
+_mesh_stub = types.ModuleType("mesh")
+_mesh_stub.BeaconPool = object
+_mesh_stub.BeaconAnnounceHandler = object
+_mesh_stub.start_reticulum = lambda *_: None
+_prior_mesh = sys.modules.get("mesh")
+sys.modules["mesh"] = _mesh_stub
+try:
+    _path = Path(__file__).parents[1] / "scripts" / "demo_durable_nonce_relay.py"
+    _spec = importlib.util.spec_from_file_location("demo_durable_nonce_relay_under_test", _path)
+    assert _spec is not None and _spec.loader is not None
+    demo = importlib.util.module_from_spec(_spec)
+    _spec.loader.exec_module(demo)
+finally:
+    if _prior_mesh is None:
+        sys.modules.pop("mesh", None)
+    else:
+        sys.modules["mesh"] = _prior_mesh
+
+
+ZERO_HASH = "11111111111111111111111111111111"
+
+
+@pytest.fixture
+def timer():
+    value = MagicMock()
+    value.mark.return_value = 0
+    return value
+
+
+def test_extract_result_rejects_non_object_response():
+    assert demo.extract_result(["not", "an", "object"]) is None
+
+
+def test_mesh_rpc_rejects_non_object_response(monkeypatch, capsys):
+    pool = MagicMock()
+    pool.call.return_value = ["not", "an", "object"]
+    monkeypatch.setattr(state, "pool", pool)
+
+    assert demo.mesh_rpc("getSlot") is None
+    assert "expected an object" in capsys.readouterr().out
+
+
+def test_step_load_keypair_handles_failure(monkeypatch, capsys):
+    def fail(_path):
+        raise OSError("refused")
+
+    monkeypatch.setattr(demo, "_load_private_keypair", fail)
+
+    assert demo.step_load_keypair("payer.json") is None
+    assert "Could not load keypair: refused" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("signature", [[], {}, "", True])
+def test_step_airdrop_rejects_non_string_signature(monkeypatch, timer, signature):
+    wait = MagicMock()
+    monkeypatch.setattr(demo, "mesh_rpc", lambda *_: {"result": signature})
+    monkeypatch.setattr(demo, "wait_for_confirmation", wait)
+
+    assert demo.step_airdrop("address", 1, timer) is None
+    wait.assert_not_called()
+
+
+def test_step_create_nonce_rejects_boolean_rent(monkeypatch, tmp_path, timer, capsys):
+    monkeypatch.setattr(demo, "mesh_rpc", lambda *_: {"result": True})
+
+    assert demo.step_create_nonce(Keypair(), str(tmp_path), timer) == (None, None)
+    nonce_path = tmp_path / "demo_nonce.json"
+    assert stat.S_IMODE(nonce_path.stat().st_mode) == 0o600
+    assert "Unexpected rent exemption response" in capsys.readouterr().out
+
+
+def test_step_create_nonce_rejects_non_string_signature(monkeypatch, tmp_path, timer, capsys):
+    responses = iter([
+        {"result": 1_447_680},
+        {"result": {"value": {"blockhash": ZERO_HASH}}},
+        {"result": ["not", "a", "signature"]},
+    ])
+    wait = MagicMock()
+    monkeypatch.setattr(demo, "mesh_rpc", lambda *_: next(responses))
+    monkeypatch.setattr(demo, "wait_for_confirmation", wait)
+
+    assert demo.step_create_nonce(Keypair(), str(tmp_path), timer) == (None, None)
+    assert "invalid signature" in capsys.readouterr().out
+    wait.assert_not_called()
+
+
+@pytest.mark.parametrize("parsed, expected", [
+    ([], "parsed nonce data must be an object"),
+    ({"type": "initialized", "info": []}, "nonce info must be an object"),
+    (
+        {"type": "initialized", "info": {"blockhash": ["not", "a", "string"]}},
+        "nonce blockhash must be a non-empty string",
+    ),
+])
+def test_step_fetch_nonce_rejects_malformed_fields(monkeypatch, timer, capsys, parsed, expected):
+    monkeypatch.setattr(
+        demo,
+        "mesh_rpc",
+        lambda *_: {"result": {"value": {"data": {"parsed": parsed}}}},
+    )
+
+    assert demo.step_fetch_nonce("nonce-pubkey", timer) is None
+    assert expected in capsys.readouterr().out
+
+
+def test_step_relay_tx_rejects_non_string_signature(monkeypatch, timer, capsys):
+    monkeypatch.setattr(demo, "mesh_rpc", lambda *_: {"result": {"bad": "signature"}})
+
+    assert demo.step_relay_tx("transaction", timer) is None
+    assert "invalid signature" in capsys.readouterr().out
+
+
+def test_wait_for_confirmation_ignores_non_object_status(monkeypatch, capsys):
+    clock = iter([0, 0, 2])
+    monkeypatch.setattr(demo.time, "time", lambda: next(clock))
+    monkeypatch.setattr(demo.time, "sleep", lambda *_: None)
+    monkeypatch.setattr(demo, "mesh_rpc", lambda *_: {"result": {"value": ["bad-status"]}})
+
+    assert demo.wait_for_confirmation("signature", "transfer", timeout=1) is False
+    assert "Unexpected getSignatureStatuses entry" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("value", ["0", "-1", str(1 << 64)])
+def test_positive_u64_rejects_invalid_value(value):
+    with pytest.raises(ValueError):
+        demo._positive_u64(value)
+
+
+def test_extract_balance_rejects_boolean(capsys):
+    assert demo._extract_balance({"result": True}) == 0
+    assert "Unexpected getBalance response" in capsys.readouterr().out
+
+
+def test_step_sign_nonce_transfer_rejects_invalid_lamports(timer, capsys):
+    assert demo.step_sign_nonce_transfer(Keypair(), "recipient", -1, "nonce", ZERO_HASH, timer) is None
+    assert "positive u64 integer" in capsys.readouterr().out
diff --git a/tests/test_gateway_requests.py b/tests/test_gateway_requests.py
new file mode 100644
index 0000000..b5f2ea4
--- /dev/null
+++ b/tests/test_gateway_requests.py
@@ -0,0 +1,488 @@
+"""Regression tests for untrusted mesh gateway request payloads."""
+from __future__ import annotations
+
+import base64
+import json
+import stat
+from unittest.mock import MagicMock, patch
+
+import pytest
+from solders.hash import Hash
+from solders.instruction import AccountMeta, Instruction
+from solders.keypair import Keypair
+from solders.message import Message
+from solders.pubkey import Pubkey
+from solders.system_program import (
+    advance_nonce_account, transfer, AdvanceNonceAccountParams, TransferParams,
+)
+from solders.transaction import Transaction
+
+import beacon
+from scripts import exit_node
+from shared import MAX_MESH_REQUEST_BYTES, MAX_MESH_RESPONSE_BYTES, build_rpc, decode_json
+
+
+def _execute_payment_transaction(extra_instructions=None, broadcaster=None, include_ata=False):
+    payer = Keypair()
+    broadcaster = broadcaster or Keypair()
+    nonce = Keypair().pubkey()
+    advance = advance_nonce_account(AdvanceNonceAccountParams(
+        nonce_pubkey=nonce,
+        authorized_pubkey=payer.pubkey(),
+    ))
+    ata_instructions = []
+    if include_ata:
+        ata_instructions.append(Instruction(
+            program_id=Pubkey.from_string(beacon._ATA_PROGRAM_ID),
+            accounts=[
+                AccountMeta(payer.pubkey(), True, True),
+                AccountMeta(Keypair().pubkey(), False, True),
+                AccountMeta(broadcaster.pubkey(), False, False),
+                AccountMeta(Keypair().pubkey(), False, False),
+                AccountMeta(Pubkey.from_string(beacon._SYSTEM_PROGRAM_ID), False, False),
+                AccountMeta(Keypair().pubkey(), False, False),
+            ],
+            data=b"\x01",
+        ))
+    accounts = [
+        AccountMeta(payer.pubkey(), True, True),
+        AccountMeta(broadcaster.pubkey(), True, False),
+        *[AccountMeta(Keypair().pubkey(), False, True) for _ in range(19)],
+    ]
+    execute_payment = Instruction(
+        program_id=Pubkey.from_string(beacon._MXE_PROGRAM_ID),
+        accounts=accounts,
+        data=beacon._EXECUTE_PAYMENT_DISC + b"\x00" * 96,
+    )
+    blockhash = Hash.default()
+    message = Message.new_with_blockhash(
+        [advance, *ata_instructions, *(extra_instructions or []), execute_payment],
+        payer.pubkey(),
+        blockhash,
+    )
+    tx = Transaction.new_unsigned(message)
+    tx.partial_sign([payer], blockhash)
+    return tx, broadcaster
+
+
+def _http_response(body: bytes):
+    response = MagicMock()
+    response.iter_content.return_value = [body]
+    return response
+
+
+def _valid_arcium_meta(**overrides):
+    pubkeys = [str(Keypair().pubkey()) for _ in range(4)]
+    meta = {
+        "amount": 1,
+        "mint": pubkeys[0],
+        "payer_ta": pubkeys[1],
+        "recipient": pubkeys[2],
+        "recipient_ta": pubkeys[3],
+    }
+    meta.update(overrides)
+    return meta
+
+
+@pytest.mark.parametrize("payload", [[], "getBalance", 1, None])
+def test_beacon_rejects_non_object_json_without_forwarding(payload):
+    with patch.object(beacon.requests, "post") as post:
+        response = decode_json(beacon.forward_to_solana(json.dumps(payload).encode()))
+
+    assert response["error"]["message"] == "Invalid JSON-RPC payload: expected object"
+    post.assert_not_called()
+
+
+@pytest.mark.parametrize("payload", [[], "getBalance", 1, None])
+def test_exit_node_rejects_non_object_json_without_forwarding(payload):
+    with patch.object(exit_node.requests, "post") as post:
+        response, method, rtt_ms = exit_node.forward_rpc(json.dumps(payload).encode())
+
+    assert decode_json(response)["error"]["message"] == "Invalid JSON-RPC payload: expected object"
+    assert method == "?"
+    assert rtt_ms == 0.0
+    post.assert_not_called()
+
+
+def test_beacon_custom_network_requires_rpc_url(monkeypatch, capsys):
+    monkeypatch.delenv("SOLANA_RPC_URL", raising=False)
+    with pytest.raises(SystemExit):
+        beacon.setup_beacon(None, "custom", None)
+    assert "Custom network requires --rpc or SOLANA_RPC_URL" in capsys.readouterr().out
+
+
+def test_exit_node_custom_network_requires_rpc_url(monkeypatch, capsys):
+    monkeypatch.delenv("ANONMESH_RPC_URL", raising=False)
+    with pytest.raises(SystemExit):
+        exit_node.setup_exit_node(None, "custom", None)
+    assert "Custom network requires --rpc or ANONMESH_RPC_URL" in capsys.readouterr().out
+
+
+def test_beacon_rejects_oversized_mesh_request_without_forwarding():
+    with patch.object(beacon, "forward_to_solana") as forward:
+        response = decode_json(beacon.rpc_request_handler(
+            "/rpc", b"x" * (MAX_MESH_REQUEST_BYTES + 1), None, None, None, None,
+        ))
+
+    assert response["error"]["message"] == "Mesh request exceeds size limit"
+    forward.assert_not_called()
+
+
+def test_exit_node_rejects_oversized_mesh_request_without_forwarding():
+    with patch.object(exit_node, "forward_rpc") as forward:
+        response = decode_json(exit_node.rpc_request_handler(
+            "/rpc", b"x" * (MAX_MESH_REQUEST_BYTES + 1), None, None, None, None,
+        ))
+
+    assert response["error"]["message"] == "Mesh request exceeds size limit"
+    forward.assert_not_called()
+
+
+def test_beacon_rejects_non_list_cosign_params_without_forwarding(monkeypatch):
+    monkeypatch.setattr(beacon, "HAS_SOLDERS", True)
+    monkeypatch.setattr(beacon, "beacon_cosign_keypair", object())
+    request = {
+        "jsonrpc": "2.0",
+        "id": 7,
+        "method": "cosignTransaction",
+        "params": {"tx": "not-positional"},
+    }
+
+    with patch.object(beacon.requests, "post") as post:
+        response = decode_json(beacon.forward_to_solana(json.dumps(request).encode()))
+
+    assert response["error"]["message"] == "cosignTransaction: params[0] must be a base64 tx"
+    assert response["id"] == 7
+    post.assert_not_called()
+
+
+def test_beacon_cosigns_allowlisted_execute_payment_shape(monkeypatch):
+    tx, broadcaster = _execute_payment_transaction(include_ata=True)
+    monkeypatch.setattr(beacon, "HAS_SOLDERS", True)
+    monkeypatch.setattr(beacon, "beacon_cosign_keypair", broadcaster)
+
+    with patch.object(beacon, "forward_plain_rpc", return_value=b'{"result":"sig"}') as forward:
+        response = decode_json(beacon._handle_cosign_transaction(
+            [base64.b64encode(bytes(tx)).decode()], 7, 1,
+        ))
+
+    assert response["result"] == "sig"
+    submitted_b64 = forward.call_args.args[0]["params"][0]
+    submitted = Transaction.from_bytes(base64.b64decode(submitted_b64))
+    assert submitted.verify_with_results() == [True, True]
+
+
+def test_beacon_rejects_noncanonical_base64_cosign_transaction(monkeypatch):
+    tx, broadcaster = _execute_payment_transaction()
+    monkeypatch.setattr(beacon, "HAS_SOLDERS", True)
+    monkeypatch.setattr(beacon, "beacon_cosign_keypair", broadcaster)
+    encoded = base64.b64encode(bytes(tx)).decode() + "!"
+
+    with patch.object(beacon, "forward_plain_rpc") as forward:
+        response = decode_json(beacon._handle_cosign_transaction([encoded], 7, 1))
+
+    assert response["error"]["message"].startswith("Co-sign failed:")
+    forward.assert_not_called()
+
+
+def test_beacon_rejects_cosign_shape_that_can_spend_broadcaster_funds(monkeypatch):
+    _, broadcaster = _execute_payment_transaction()
+    spend = transfer(TransferParams(
+        from_pubkey=broadcaster.pubkey(),
+        to_pubkey=Keypair().pubkey(),
+        lamports=1,
+    ))
+    tx, _ = _execute_payment_transaction([spend], broadcaster)
+    monkeypatch.setattr(beacon, "HAS_SOLDERS", True)
+    monkeypatch.setattr(beacon, "beacon_cosign_keypair", broadcaster)
+
+    with patch.object(beacon, "forward_plain_rpc") as forward:
+        response = decode_json(beacon._handle_cosign_transaction(
+            [base64.b64encode(bytes(tx)).decode()], 7, 1,
+        ))
+
+    assert response["error"]["message"].startswith("Co-sign rejected:")
+    forward.assert_not_called()
+
+
+def test_beacon_rejects_cosign_shape_with_unallowlisted_instruction(monkeypatch):
+    unrelated = Instruction(
+        program_id=Keypair().pubkey(),
+        accounts=[],
+        data=b"",
+    )
+    tx, broadcaster = _execute_payment_transaction([unrelated])
+    monkeypatch.setattr(beacon, "HAS_SOLDERS", True)
+    monkeypatch.setattr(beacon, "beacon_cosign_keypair", broadcaster)
+
+    with patch.object(beacon, "forward_plain_rpc") as forward:
+        response = decode_json(beacon._handle_cosign_transaction(
+            [base64.b64encode(bytes(tx)).decode()], 7, 1,
+        ))
+
+    assert response["error"]["message"].startswith("Co-sign rejected:")
+    forward.assert_not_called()
+
+
+def test_beacon_repairs_cosign_keypair_permissions(tmp_path, monkeypatch):
+    path = tmp_path / "payer.json"
+    path.write_text("[1, 2, 3]")
+    path.chmod(0o666)
+    fake_keypair = MagicMock()
+    fake_keypair.pubkey.return_value = "payer-pubkey"
+    keypair_type = MagicMock()
+    keypair_type.from_bytes.return_value = fake_keypair
+    monkeypatch.setattr(beacon, "HAS_SOLDERS", True)
+    monkeypatch.setattr(beacon, "_Keypair", keypair_type)
+    monkeypatch.setattr(beacon, "beacon_cosign_keypair", None)
+    monkeypatch.setenv("ARCIUM_PAYER_KEYPAIR", str(path))
+
+    beacon._load_cosign_keypair()
+
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+    keypair_type.from_bytes.assert_called_once_with(bytes([1, 2, 3]))
+
+
+def test_beacon_refuses_symlinked_cosign_keypair_without_chmod_target(tmp_path, monkeypatch, capsys):
+    target = tmp_path / "payer.json"
+    target.write_text("[1, 2, 3]")
+    target.chmod(0o666)
+    path = tmp_path / "payer-link.json"
+    path.symlink_to(target)
+    monkeypatch.setattr(beacon, "HAS_SOLDERS", True)
+    monkeypatch.setattr(beacon, "beacon_cosign_keypair", None)
+    monkeypatch.setenv("ARCIUM_PAYER_KEYPAIR", str(path))
+
+    beacon._load_cosign_keypair()
+
+    assert beacon.beacon_cosign_keypair is None
+    assert stat.S_IMODE(target.stat().st_mode) == 0o666
+    assert "Could not load ARCIUM_PAYER_KEYPAIR" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("params", [1, ["tx", {"arcium": "not-an-object"}]])
+def test_beacon_logs_skip_for_malformed_arcium_stats_metadata(params, monkeypatch, capsys):
+    arcium = MagicMock(enabled=True)
+    monkeypatch.setattr(beacon, "arcium", arcium)
+    for variable in (
+        "ARCIUM_MINT",
+        "ARCIUM_PAYER_TOKEN_ACCOUNT",
+        "ARCIUM_RECIPIENT_TOKEN_ACCOUNT",
+        "ARCIUM_BROADCASTER_TOKEN_ACCOUNT",
+    ):
+        monkeypatch.delenv(variable, raising=False)
+
+    beacon._maybe_log_arcium_stats(params, b'{"result":"signature"}', 1)
+
+    arcium.log_payment_stats.assert_not_called()
+    assert "Arcium skipped" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("amount", [-1, True, 1.5, str(1 << 64), "9" * 100_000, "١"])
+def test_beacon_rejects_invalid_arcium_stats_amount(amount, monkeypatch, capsys):
+    arcium = MagicMock(enabled=True)
+    monkeypatch.setattr(beacon, "arcium", arcium)
+
+    beacon._fire_arcium_stats(
+        _valid_arcium_meta(amount=amount),
+        1,
+        "test",
+    )
+
+    arcium.log_payment_stats.assert_not_called()
+    assert "amount must be a u64 integer" in capsys.readouterr().out
+
+
+def test_beacon_rejects_non_string_arcium_stats_account(monkeypatch, capsys):
+    arcium = MagicMock(enabled=True)
+    monkeypatch.setattr(beacon, "arcium", arcium)
+
+    beacon._fire_arcium_stats(
+        _valid_arcium_meta(mint=["not", "a", "string"]),
+        1,
+        "test",
+    )
+
+    arcium.log_payment_stats.assert_not_called()
+    assert "account metadata must be strings" in capsys.readouterr().out
+
+
+def test_beacon_rejects_invalid_arcium_stats_pubkey(monkeypatch, capsys):
+    arcium = MagicMock(enabled=True)
+    monkeypatch.setattr(beacon, "arcium", arcium)
+
+    beacon._fire_arcium_stats(
+        _valid_arcium_meta(mint="not-a-solana-pubkey"),
+        1,
+        "test",
+    )
+
+    arcium.log_payment_stats.assert_not_called()
+    assert "account metadata must be valid Solana public keys" in capsys.readouterr().out
+
+
+def test_beacon_requires_recipient_token_account_before_queuing_arcium_stats(monkeypatch, capsys):
+    arcium = MagicMock(enabled=True)
+    monkeypatch.setattr(beacon, "arcium", arcium)
+    meta = _valid_arcium_meta()
+    del meta["recipient_ta"]
+
+    beacon._fire_arcium_stats(meta, 1, "test")
+
+    arcium.log_payment_stats.assert_not_called()
+    assert "missing: recipient_ta" in capsys.readouterr().out
+
+
+def test_beacon_queues_valid_arcium_stats_metadata(monkeypatch):
+    arcium = MagicMock(enabled=True)
+    monkeypatch.setattr(beacon, "arcium", arcium)
+
+    beacon._fire_arcium_stats(
+        _valid_arcium_meta(amount="42"),
+        1,
+        "test",
+    )
+
+    assert arcium.log_payment_stats.call_args.kwargs["amount"] == 42
+
+
+def test_beacon_connection_error_does_not_leak_rpc_credentials(monkeypatch, capsys):
+    secret_url = "https://user:pass@rpc.example.test/private-token?api-key=secret"
+    monkeypatch.setattr(beacon, "rpc_endpoint", secret_url)
+    error = beacon.requests.exceptions.ConnectionError(f"failed to reach {secret_url}")
+
+    with patch.object(beacon.requests, "post", side_effect=error):
+        response = decode_json(beacon.forward_plain_rpc({}, 1, 1, "getSlot"))
+
+    output = capsys.readouterr().out
+    assert response["error"]["message"] == "Solana RPC connection error"
+    assert "secret" not in output
+    assert "user:pass" not in output
+    assert "https://rpc.example.test/..." in output
+
+
+def test_beacon_uses_configured_ca_bundle_for_forwarding(tmp_path, monkeypatch):
+    ca_bundle = tmp_path / "private-rpc-ca.pem"
+    ca_bundle.write_text("test certificate bundle")
+    monkeypatch.setenv("REQUESTS_CA_BUNDLE", str(ca_bundle))
+    http_response = _http_response(b'{"result":1}')
+
+    with patch.object(beacon.requests, "post", return_value=http_response) as post:
+        assert decode_json(beacon.forward_plain_rpc({}, 1, 1, "getSlot")) == {"result": 1}
+
+    assert post.call_args.kwargs["verify"] == str(ca_bundle)
+
+
+def test_exit_node_connection_error_does_not_leak_rpc_credentials(monkeypatch, capsys):
+    secret_url = "https://user:pass@rpc.example.test/private-token?api-key=secret"
+    monkeypatch.setattr(exit_node, "rpc_endpoint", secret_url)
+    error = exit_node.requests.exceptions.ConnectionError(f"failed to reach {secret_url}")
+
+    with patch.object(exit_node.requests, "post", side_effect=error):
+        response, method, _ = exit_node.forward_rpc(build_rpc("getSlot"))
+
+    output = capsys.readouterr().out
+    assert decode_json(response)["error"]["message"] == "Solana RPC connection error"
+    assert method == "getSlot"
+    assert "secret" not in output
+    assert "user:pass" not in output
+    assert "https://rpc.example.test/..." in output
+
+
+def test_beacon_logs_scalar_rpc_error_without_traceback(capsys):
+    http_response = _http_response(b'{"error":"busy"}')
+
+    with patch.object(beacon.requests, "post", return_value=http_response):
+        response = decode_json(beacon.forward_plain_rpc({}, 1, 1, "getSlot"))
+
+    assert response == {"error": "busy"}
+    assert "Solana error: busy" in capsys.readouterr().out
+
+
+def test_beacon_ignores_non_list_simulation_logs(capsys):
+    body = {"error": {"message": "failed", "data": {"logs": "do-not-iterate"}}}
+    http_response = _http_response(json.dumps(body).encode())
+
+    with patch.object(beacon.requests, "post", return_value=http_response):
+        assert decode_json(beacon.forward_plain_rpc({}, 1, 1, "simulateTransaction")) == body
+
+    assert "sim>" not in capsys.readouterr().out
+
+
+def test_beacon_caps_simulation_log_rendering(capsys):
+    logs = [f"log-{index}" for index in range(101)]
+    body = {"error": {"message": "failed", "data": {"logs": logs}}}
+    http_response = _http_response(json.dumps(body).encode())
+
+    with patch.object(beacon.requests, "post", return_value=http_response):
+        assert decode_json(beacon.forward_plain_rpc({}, 1, 1, "simulateTransaction")) == body
+
+    output = capsys.readouterr().out
+    assert "sim> log-99" in output
+    assert "sim> log-100" not in output
+    assert "1 more lines omitted" in output
+
+
+def test_exit_node_logs_scalar_rpc_error_without_traceback(capsys):
+    http_response = _http_response(b'{"error":"busy"}')
+
+    with patch.object(exit_node.requests, "post", return_value=http_response):
+        response, method, _ = exit_node.forward_rpc(build_rpc("getSlot"))
+
+    assert decode_json(response) == {"error": "busy"}
+    assert method == "getSlot"
+    assert "error: busy" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("body", [
+    b"not-json",
+    b"[]",
+    b"{}",
+    b'{"result":1,"error":"bad"}',
+])
+def test_beacon_rejects_malformed_solana_response(body):
+    http_response = _http_response(body)
+
+    with patch.object(beacon.requests, "post", return_value=http_response):
+        response = decode_json(beacon.forward_plain_rpc({}, 1, 1, "getSlot"))
+
+    assert response["error"]["message"] == "Solana RPC returned invalid JSON-RPC response"
+
+
+@pytest.mark.parametrize("body", [
+    b"not-json",
+    b"[]",
+    b"{}",
+    b'{"result":1,"error":"bad"}',
+])
+def test_exit_node_rejects_malformed_solana_response(body):
+    http_response = _http_response(body)
+
+    with patch.object(exit_node.requests, "post", return_value=http_response):
+        response, method, _ = exit_node.forward_rpc(build_rpc("getSlot"))
+
+    assert decode_json(response)["error"]["message"] == "Solana RPC returned invalid JSON-RPC response"
+    assert method == "getSlot"
+
+
+def test_beacon_rejects_oversized_solana_response():
+    http_response = _http_response(b"x" * (MAX_MESH_RESPONSE_BYTES + 1))
+
+    with patch.object(beacon.requests, "post", return_value=http_response) as post:
+        response = decode_json(beacon.forward_plain_rpc({}, 1, 1, "getSlot"))
+
+    assert response["error"]["message"] == "Solana RPC response exceeds mesh size limit"
+    assert post.call_args.kwargs["stream"] is True
+    http_response.close.assert_called_once_with()
+
+
+def test_exit_node_rejects_oversized_solana_response():
+    http_response = _http_response(b"x" * (MAX_MESH_RESPONSE_BYTES + 1))
+
+    with patch.object(exit_node.requests, "post", return_value=http_response) as post:
+        response, method, _ = exit_node.forward_rpc(build_rpc("getSlot"))
+
+    assert decode_json(response)["error"]["message"] == "Solana RPC response exceeds mesh size limit"
+    assert method == "getSlot"
+    assert post.call_args.kwargs["stream"] is True
+    http_response.close.assert_called_once_with()
diff --git a/tests/test_headless_node.py b/tests/test_headless_node.py
new file mode 100644
index 0000000..bf9c6e5
--- /dev/null
+++ b/tests/test_headless_node.py
@@ -0,0 +1,208 @@
+"""Regression tests for the headless-node launcher."""
+from __future__ import annotations
+
+import os
+from pathlib import Path
+import stat
+import subprocess
+
+
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+LAUNCHER = PROJECT_ROOT / "scripts" / "headless-node.sh"
+
+
+def test_launcher_uses_restrictive_umask(tmp_path):
+    fake_python = tmp_path / "python"
+    fake_python.write_text(
+        "#!/usr/bin/env bash\n"
+        "mkdir -p \"$ANONMESH_STATE_DIR\"\n"
+        "umask > \"$ANONMESH_STATE_DIR/observed-umask\"\n"
+    )
+    fake_python.chmod(0o755)
+    state_dir = tmp_path / "state"
+    env = {
+        **os.environ,
+        "ANONMESH_PYTHON": str(fake_python),
+        "ANONMESH_STATE_DIR": str(state_dir),
+    }
+
+    result = subprocess.run(
+        [str(LAUNCHER), "preflight"],
+        check=False,
+        env=env,
+    )
+
+    assert result.returncode == 0
+    assert int((state_dir / "observed-umask").read_text().strip(), 8) == 0o77
+
+
+def test_launcher_repairs_existing_state_permissions(tmp_path):
+    state_dir = tmp_path / "state"
+    state_dir.mkdir()
+    state_dir.chmod(0o777)
+    log_file = state_dir / "headless-node.log"
+    log_file.write_text("existing log")
+    log_file.chmod(0o666)
+    env = {**os.environ, "ANONMESH_STATE_DIR": str(state_dir)}
+
+    result = subprocess.run(
+        [str(LAUNCHER), "status"],
+        check=False,
+        capture_output=True,
+        text=True,
+        env=env,
+    )
+
+    assert result.returncode == 1
+    assert stat.S_IMODE(state_dir.stat().st_mode) == 0o700
+    assert stat.S_IMODE(log_file.stat().st_mode) == 0o600
+
+
+def test_launcher_refuses_symlinked_state_file(tmp_path):
+    state_dir = tmp_path / "state"
+    state_dir.mkdir()
+    target = tmp_path / "keep.txt"
+    target.write_text("keep")
+    (state_dir / "headless-node.log").symlink_to(target)
+    env = {**os.environ, "ANONMESH_STATE_DIR": str(state_dir)}
+
+    result = subprocess.run(
+        [str(LAUNCHER), "status"],
+        check=False,
+        capture_output=True,
+        text=True,
+        env=env,
+    )
+
+    assert result.returncode == 1
+    assert "refusing unsafe headless-node state file" in result.stderr
+    assert target.read_text() == "keep"
+
+
+def test_launcher_refuses_fifo_state_file(tmp_path):
+    state_dir = tmp_path / "state"
+    state_dir.mkdir()
+    os.mkfifo(state_dir / "headless-node.log")
+    env = {**os.environ, "ANONMESH_STATE_DIR": str(state_dir)}
+
+    result = subprocess.run(
+        [str(LAUNCHER), "status"],
+        check=False,
+        capture_output=True,
+        text=True,
+        env=env,
+        timeout=3,
+    )
+
+    assert result.returncode == 1
+    assert "refusing unsafe headless-node state file" in result.stderr
+
+
+def test_launcher_refuses_symlinked_state_directory_without_chmod_target(tmp_path):
+    target = tmp_path / "target"
+    target.mkdir()
+    target.chmod(0o777)
+    state_dir = tmp_path / "state"
+    state_dir.symlink_to(target, target_is_directory=True)
+    env = {**os.environ, "ANONMESH_STATE_DIR": str(state_dir)}
+
+    result = subprocess.run(
+        [str(LAUNCHER), "status"],
+        check=False,
+        capture_output=True,
+        text=True,
+        env=env,
+    )
+
+    assert result.returncode == 1
+    assert "refusing unsafe headless-node state path" in result.stderr
+    assert stat.S_IMODE(target.stat().st_mode) == 0o777
+
+
+def test_stop_clears_stale_pid_without_signalling_unrelated_process(tmp_path):
+    sleeper = subprocess.Popen(["sleep", "30"])
+    try:
+        (tmp_path / "headless-node.pid").write_text(f"{sleeper.pid}\n")
+        env = {**os.environ, "ANONMESH_STATE_DIR": str(tmp_path)}
+
+        result = subprocess.run(
+            [str(LAUNCHER), "stop"],
+            check=False,
+            capture_output=True,
+            text=True,
+            env=env,
+        )
+
+        assert result.returncode == 0
+        assert "already stopped" in result.stdout
+        assert sleeper.poll() is None
+        assert not (tmp_path / "headless-node.pid").exists()
+    finally:
+        sleeper.terminate()
+        sleeper.wait(timeout=3)
+
+
+def test_start_failure_clears_pid_file(tmp_path):
+    fake_python = tmp_path / "python"
+    fake_python.write_text(
+        "#!/usr/bin/env bash\n"
+        "[[ \"$1\" == *preflight.py ]] && exit 0\n"
+        "exit 1\n"
+    )
+    fake_python.chmod(0o755)
+    env = {
+        **os.environ,
+        "ANONMESH_PYTHON": str(fake_python),
+        "ANONMESH_STATE_DIR": str(tmp_path / "state"),
+    }
+
+    result = subprocess.run(
+        [str(LAUNCHER), "start"],
+        check=False,
+        capture_output=True,
+        text=True,
+        env=env,
+    )
+
+    assert result.returncode == 1
+    assert "failed to start" in result.stderr
+    assert not (tmp_path / "state" / "headless-node.pid").exists()
+
+
+def test_start_keeps_rpc_url_out_of_process_args(tmp_path):
+    fake_python = tmp_path / "python"
+    fake_python.write_text(
+        "#!/usr/bin/env bash\n"
+        "[[ \"$1\" == *preflight.py ]] && exit 0\n"
+        "while true; do sleep 1; done\n"
+    )
+    fake_python.chmod(0o755)
+    state_dir = tmp_path / "state"
+    secret_url = "https://rpc.example.test/private-token?api-key=secret"
+    env = {
+        **os.environ,
+        "ANONMESH_PYTHON": str(fake_python),
+        "ANONMESH_RPC_URL": secret_url,
+        "ANONMESH_STATE_DIR": str(state_dir),
+    }
+
+    try:
+        start = subprocess.run(
+            [str(LAUNCHER), "start"],
+            check=False,
+            capture_output=True,
+            text=True,
+            env=env,
+        )
+        assert start.returncode == 0
+        pid = (state_dir / "headless-node.pid").read_text().strip()
+        args = subprocess.run(
+            ["ps", "-ww", "-p", pid, "-o", "args="],
+            check=True,
+            capture_output=True,
+            text=True,
+        ).stdout
+        assert secret_url not in args
+        assert "api-key" not in args
+    finally:
+        subprocess.run([str(LAUNCHER), "stop"], check=False, env=env)
diff --git a/tests/test_menu.py b/tests/test_menu.py
new file mode 100644
index 0000000..3b5daf6
--- /dev/null
+++ b/tests/test_menu.py
@@ -0,0 +1,145 @@
+"""Focused tests for interactive menu helpers."""
+
+import concurrent.futures
+
+import pytest
+
+import menu
+
+
+@pytest.mark.parametrize("raw", [
+    "not-a-number", "nan", "inf", "-inf", "0", "-1",
+    "0.0000000001", "1e1000000000", "1e-1000000000",
+])
+def test_parse_positive_units_rejects_invalid_amount(raw):
+    assert menu._parse_positive_units(raw, 1_000_000_000) is None
+
+
+def test_parse_positive_units_converts_decimal_amount():
+    assert menu._parse_positive_units("1.5", 1_000_000_000) == 1_500_000_000
+
+
+def test_parse_positive_units_preserves_exact_u64_boundary():
+    assert menu._parse_positive_units("18446744073.709551615", 1_000_000_000) == (1 << 64) - 1
+
+
+def test_parse_positive_units_rejects_amount_above_u64_boundary():
+    assert menu._parse_positive_units("18446744073.709551616", 1_000_000_000) is None
+
+
+def test_parse_positive_units_rejects_fraction_hidden_beyond_decimal_precision():
+    assert menu._parse_positive_units("0.0000000010000000000000000000000000001", 1_000_000_000) is None
+
+
+@pytest.mark.parametrize("scale", [0, -1, True, 1.5])
+def test_parse_positive_units_rejects_invalid_scale(scale):
+    assert menu._parse_positive_units("1", scale) is None
+
+
+@pytest.mark.parametrize("raw", ["not-an-int", "-1", str(1 << 32)])
+def test_bounded_env_int_rejects_invalid_value(monkeypatch, raw):
+    monkeypatch.setenv("TEST_OFFSET", raw)
+    assert menu._bounded_env_int("TEST_OFFSET", "1", (1 << 32) - 1) is None
+
+
+def test_bounded_env_int_accepts_valid_value(monkeypatch):
+    monkeypatch.setenv("TEST_OFFSET", "456")
+    assert menu._bounded_env_int("TEST_OFFSET", "1", (1 << 32) - 1) == 456
+
+
+def test_fetch_balance_sol_accepts_wrapped_lamports(monkeypatch):
+    monkeypatch.setattr(menu, "rpc_call", lambda *_: {"result": {"value": 1_000_000_000}})
+    assert menu._fetch_balance_sol("address") == 1.0
+
+
+def test_fetch_balance_sol_rejects_malformed_result(monkeypatch):
+    monkeypatch.setattr(menu, "rpc_call", lambda *_: {"result": {"value": "not-lamports"}})
+    assert menu._fetch_balance_sol("address") is None
+
+
+@pytest.mark.parametrize("lamports", [-1, 1 << 64])
+def test_fetch_balance_sol_rejects_out_of_range_lamports(monkeypatch, lamports):
+    monkeypatch.setattr(menu, "rpc_call", lambda *_: {"result": {"value": lamports}})
+    assert menu._fetch_balance_sol("address") is None
+
+
+def test_broadcast_with_retry_accepts_string_signature(monkeypatch, capsys):
+    monkeypatch.setattr(menu, "rpc_call", lambda *_: {"result": "signature"})
+    menu._broadcast_with_retry("transaction")
+    assert "Signature:" in capsys.readouterr().out
+
+
+def test_broadcast_with_retry_escapes_terminal_control_bytes(monkeypatch, capsys):
+    monkeypatch.setattr(menu, "rpc_call", lambda *_: {"result": "before\x1b[2Jafter"})
+    menu._broadcast_with_retry("transaction")
+    output = capsys.readouterr().out
+    assert r"before\x1b[2Jafter" in output
+    assert "\x1b[2J" not in output
+
+
+def test_broadcast_with_retry_handles_scalar_error(monkeypatch, capsys):
+    monkeypatch.setattr(menu, "rpc_call", lambda *_: {"error": "busy"})
+    menu._broadcast_with_retry("transaction")
+    output = capsys.readouterr().out
+    assert "busy" in output
+    assert "All broadcast attempts failed" in output
+
+
+def test_broadcast_with_retry_rejects_malformed_signature(monkeypatch, capsys):
+    monkeypatch.setattr(menu, "rpc_call", lambda *_: {"result": {"unexpected": "object"}})
+    menu._broadcast_with_retry("transaction")
+    assert "All broadcast attempts failed" in capsys.readouterr().out
+
+
+def test_select_nonce_account_escapes_terminal_control_bytes_in_path(monkeypatch):
+    labels = []
+    pubkey = "a" * 44
+    monkeypatch.setattr(menu, "scan_nonce_accounts", lambda: [
+        {"pubkey": pubkey, "path": "before\x1b[2Jafter"},
+    ])
+    monkeypatch.setattr(menu, "_fetch_balance_sol", lambda *_: 1.0)
+    monkeypatch.setattr(menu, "_pick", lambda _prompt, options: labels.extend(options) or 0)
+
+    assert menu._select_nonce_account() == pubkey
+    assert r"before\x1b[2Jafter" in labels[0]
+    assert "\x1b[2J" not in labels[0]
+
+
+def test_select_nonce_account_caps_balance_lookup_workers(monkeypatch):
+    workers = []
+    original_executor = concurrent.futures.ThreadPoolExecutor
+    monkeypatch.setattr(menu, "scan_nonce_accounts", lambda: [
+        {"pubkey": f"{index:044d}", "path": f"nonce_{index}.json"}
+        for index in range(20)
+    ])
+    monkeypatch.setattr(menu, "_fetch_balance_sol", lambda *_: 1.0)
+    monkeypatch.setattr(menu, "_pick", lambda *_: 0)
+    monkeypatch.setattr(
+        concurrent.futures,
+        "ThreadPoolExecutor",
+        lambda *, max_workers: workers.append(max_workers) or original_executor(max_workers=max_workers),
+    )
+
+    assert menu._select_nonce_account() == f"{0:044d}"
+    assert workers == [menu._MAX_NONCE_BALANCE_WORKERS]
+
+
+def test_render_header_escapes_terminal_control_bytes_in_wallet_path(monkeypatch, capsys):
+    class Pool:
+        strategy = "race"
+
+        def active_links(self):
+            return []
+
+        def pending_count(self):
+            return 0
+
+    menu.state.pool = Pool()
+    menu.state.active_wallet = {"pubkey": "a" * 44, "path": "before\x1b[2Jafter"}
+    monkeypatch.setattr(menu, "_wallet_qr_lines", lambda _pubkey: [])
+
+    menu._render_header()
+
+    output = capsys.readouterr().out
+    assert r"before\x1b[2Jafter" in output
+    assert "\x1b[2J" not in output
diff --git a/tests/test_mesh.py b/tests/test_mesh.py
index dbe957d..c849770 100644
--- a/tests/test_mesh.py
+++ b/tests/test_mesh.py
@@ -48,6 +48,7 @@ def _make_mock_identity():
 def _make_established_link(bl: BeaconLink):
     """Simulate a link being established on a BeaconLink."""
     mock_link = MagicMock()
+    bl._pending_link = mock_link
     bl._on_established(mock_link)
     return mock_link
 
@@ -128,6 +129,7 @@ class TestBeaconLinkLifecycle:
     def test_on_established_sets_active(self):
         bl = BeaconLink(VALID_HASH_HEX)
         mock_link = MagicMock()
+        bl._pending_link = mock_link
         _state.identify_self = False
         bl._on_established(mock_link)
 
@@ -141,6 +143,7 @@ def test_on_established_sets_active(self):
     def test_on_established_identifies_when_configured(self):
         bl = BeaconLink(VALID_HASH_HEX)
         mock_link = MagicMock()
+        bl._pending_link = mock_link
         fake_id = _make_mock_identity()
         _state.identify_self = True
         _state.client_identity = fake_id
@@ -148,6 +151,28 @@ def test_on_established_identifies_when_configured(self):
 
         mock_link.identify.assert_called_once_with(fake_id)
 
+    def test_on_established_rejects_superseded_link(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        stale_link = MagicMock()
+        current_link = _make_established_link(bl)
+
+        bl._on_established(stale_link)
+
+        assert bl.active is True
+        assert bl.link is current_link
+        assert bl.ready.is_set()
+        stale_link.teardown.assert_called_once()
+
+    def test_on_established_duplicate_current_link_is_noop(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        current_link = _make_established_link(bl)
+
+        bl._on_established(current_link)
+
+        assert bl.active is True
+        assert bl.link is current_link
+        current_link.teardown.assert_not_called()
+
     def test_on_closed_clears_active_and_ready(self):
         bl = BeaconLink(VALID_HASH_HEX)
         mock_link = _make_established_link(bl)
@@ -176,6 +201,20 @@ def test_on_closed_schedules_reconnect(self):
             bl._on_closed(mock_link)
             mock_sched.assert_called_once()
 
+    def test_on_closed_ignores_replaced_link(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        stale_link = _make_established_link(bl)
+        current_link = _make_established_link(bl)
+        stale_link.teardown_reason = "timeout"
+
+        with patch.object(bl, "_schedule_reconnect") as mock_sched:
+            bl._on_closed(stale_link)
+
+        assert bl.active is True
+        assert bl.link is current_link
+        assert bl.ready.is_set()
+        mock_sched.assert_not_called()
+
     def test_teardown_sets_removed_and_tears_down_link(self):
         bl = BeaconLink(VALID_HASH_HEX)
         mock_link = _make_established_link(bl)
@@ -183,8 +222,21 @@ def test_teardown_sets_removed_and_tears_down_link(self):
 
         assert bl._removed is True
         assert bl.active is False
+        assert not bl.ready.is_set()
         mock_link.teardown.assert_called_once()
 
+    def test_teardown_cancels_pending_link(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        pending_link = MagicMock()
+        bl._pending_link = pending_link
+        bl.ready.set()
+
+        bl.teardown()
+
+        assert bl._pending_link is None
+        assert not bl.ready.is_set()
+        pending_link.teardown.assert_called_once()
+
     def test_teardown_tolerates_no_link(self):
         bl = BeaconLink(VALID_HASH_HEX)
         bl.teardown()  # should not raise
@@ -250,16 +302,29 @@ def test_connect_identity_recall_fails(self):
 
         assert result is False
 
+    def test_connect_after_removal_does_not_request_path(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        bl.teardown()
+
+        with patch.object(_mock_RNS.Transport, "has_path") as has_path:
+            result = bl.connect(timeout=0.3)
+
+        assert result is False
+        has_path.assert_not_called()
+
     def test_connect_link_establishment_timeout(self):
         bl = BeaconLink(VALID_HASH_HEX)
         _mock_RNS.Transport.has_path.return_value = True
         _mock_RNS.Identity.recall.return_value = _make_mock_identity()
         # Don't trigger the established callback → times out
-        _mock_RNS.Link.return_value = MagicMock()
+        mock_link_instance = MagicMock()
+        _mock_RNS.Link.return_value = mock_link_instance
 
         result = bl.connect(timeout=0.3)
 
         assert result is False
+        assert bl._pending_link is None
+        mock_link_instance.teardown.assert_called_once()
 
     def test_connect_with_identity_fast_path(self):
         bl = BeaconLink(VALID_HASH_HEX)
@@ -279,11 +344,52 @@ def establish_side_effect(cb):
 
     def test_connect_with_identity_timeout(self):
         bl = BeaconLink(VALID_HASH_HEX)
-        _mock_RNS.Link.return_value = MagicMock()
+        mock_link_instance = MagicMock()
+        _mock_RNS.Link.return_value = mock_link_instance
+
+        result = bl.connect_with_identity(_make_mock_identity(), timeout=0.3)
+
+        assert result is False
+        assert bl._pending_link is None
+        mock_link_instance.teardown.assert_called_once()
+
+    def test_connect_with_identity_after_removal_tears_down_attempt(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        mock_link_instance = MagicMock()
+        _mock_RNS.Link.return_value = mock_link_instance
+        bl.teardown()
 
         result = bl.connect_with_identity(_make_mock_identity(), timeout=0.3)
 
         assert result is False
+        assert bl._pending_link is None
+        mock_link_instance.teardown.assert_called_once()
+        mock_link_instance.set_link_established_callback.assert_not_called()
+
+    def test_start_link_attempt_tears_down_superseded_attempt(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        stale_link = MagicMock()
+        replacement_link = MagicMock()
+        bl._pending_link = stale_link
+        bl.ready.set()
+
+        assert bl._start_link_attempt(replacement_link) is True
+
+        assert bl._pending_link is replacement_link
+        assert not bl.ready.is_set()
+        stale_link.teardown.assert_called_once()
+
+    def test_start_link_attempt_preserves_link_that_already_won_race(self):
+        bl = BeaconLink(VALID_HASH_HEX)
+        current_link = _make_established_link(bl)
+        replacement_link = MagicMock()
+
+        assert bl._start_link_attempt(replacement_link) is False
+
+        assert bl.active is True
+        assert bl.link is current_link
+        assert bl.ready.is_set()
+        replacement_link.teardown.assert_called_once()
 
 
 # ═════════════════════════════════════════════════════════════════════════════
@@ -394,6 +500,22 @@ def test_request_response_ignores_non_rpc(self):
         assert not event.is_set()
         assert result_holder[0] is None
 
+    @pytest.mark.parametrize("payload", ["result", ["result"]])
+    def test_request_response_ignores_non_object_rpc_shape(self, payload):
+        bl = BeaconLink(VALID_HASH_HEX)
+        mock_link = _make_established_link(bl)
+        result_holder = [None, None]
+        event = threading.Event()
+        bl.request(b"payload", event, result_holder, 5.0)
+
+        on_response = mock_link.request.call_args.kwargs["response_callback"]
+        receipt = MagicMock()
+        receipt.response = json.dumps(payload).encode()
+        on_response(receipt)
+
+        assert not event.is_set()
+        assert result_holder[0] is None
+
     def test_request_response_ignores_none_response(self):
         bl = BeaconLink(VALID_HASH_HEX)
         mock_link = _make_established_link(bl)
@@ -424,6 +546,46 @@ def test_request_first_response_wins(self):
 
         assert result_holder[0]["result"] == "first"
 
+    def test_request_slower_decode_cannot_overwrite_faster_response(self):
+        slow = BeaconLink(VALID_HASH_HEX, label="slow")
+        fast = BeaconLink(VALID_HASH_HEX_2, label="fast")
+        slow_link = _make_established_link(slow)
+        fast_link = _make_established_link(fast)
+        result_holder = [None, None]
+        result_lock = threading.Lock()
+        event = threading.Event()
+        slow.request(b"payload", event, result_holder, 5.0, result_lock)
+        fast.request(b"payload", event, result_holder, 5.0, result_lock)
+        slow_callback = slow_link.request.call_args.kwargs["response_callback"]
+        fast_callback = fast_link.request.call_args.kwargs["response_callback"]
+        slow_entered = threading.Event()
+        release_slow = threading.Event()
+        real_decode = mesh.decode_rpc_response
+
+        def delayed_decode(raw):
+            parsed = real_decode(raw)
+            if parsed["result"] == "slow":
+                slow_entered.set()
+                release_slow.wait(timeout=5)
+            return parsed
+
+        def receipt(result):
+            value = MagicMock()
+            value.response = json.dumps({"jsonrpc": "2.0", "id": 1, "result": result}).encode()
+            return value
+
+        with patch.object(mesh, "decode_rpc_response", side_effect=delayed_decode):
+            slow_thread = threading.Thread(target=slow_callback, args=(receipt("slow"),))
+            slow_thread.start()
+            assert slow_entered.wait(timeout=5)
+            fast_callback(receipt("fast"))
+            release_slow.set()
+            slow_thread.join(timeout=5)
+
+        assert not slow_thread.is_alive()
+        assert result_holder[0]["result"] == "fast"
+        assert result_holder[1] == "fast"
+
     def test_request_handles_send_error(self):
         bl = BeaconLink(VALID_HASH_HEX)
         mock_link = _make_established_link(bl)
@@ -476,6 +638,12 @@ def test_add_invalid_hash_length(self):
         assert result is False
         assert pool.size() == 0
 
+    def test_add_invalid_hash_characters(self):
+        pool = BeaconPool()
+        result = pool.add("g" * len(VALID_HASH_HEX), connect=False)
+        assert result is False
+        assert pool.size() == 0
+
     def test_add_no_connect(self):
         pool = BeaconPool()
         result = pool.add(VALID_HASH_HEX, connect=False)
@@ -528,6 +696,16 @@ def test_remove_calls_teardown(self):
             pool.remove(VALID_HASH_HEX)
             mock_td.assert_called_once()
 
+    def test_discard_if_current_preserves_replacement(self):
+        pool = BeaconPool()
+        stale_link = BeaconLink(VALID_HASH_HEX)
+        replacement_link = BeaconLink(VALID_HASH_HEX)
+        pool._links[VALID_HASH_HEX] = replacement_link
+
+        pool._discard_if_current(VALID_HASH_HEX, stale_link)
+
+        assert pool.all_links() == [replacement_link]
+
 
 # ═════════════════════════════════════════════════════════════════════════════
 # BeaconPool — queries
@@ -593,7 +771,7 @@ def test_call_race_returns_first_response(self):
 
         rpc_result = {"jsonrpc": "2.0", "id": 1, "result": 12345}
 
-        def fake_request(payload, event, holder, timeout):
+        def fake_request(payload, event, holder, timeout, result_lock):
             holder[0] = rpc_result
             holder[1] = "A"
             event.set()
@@ -609,7 +787,7 @@ def test_call_race_all_fail(self):
         pool.add(VALID_HASH_HEX, connect=False)
         bl = pool.all_links()[0]
         _make_established_link(bl)
-        bl.request = lambda p, e, h, t: None  # never fires event
+        bl.request = lambda p, e, h, t, result_lock: None  # never fires event
 
         result = pool.call("getSlot")
         assert result is None
@@ -729,6 +907,11 @@ def test_add_background_invalid_hash(self):
         pool.add_background("short")
         assert pool.size() == 0
 
+    def test_add_background_invalid_hash_characters(self):
+        pool = BeaconPool()
+        pool.add_background("g" * len(VALID_HASH_HEX))
+        assert pool.size() == 0
+
     def test_add_background_duplicate_skipped(self):
         pool = BeaconPool()
         pool.add(VALID_HASH_HEX, connect=False)
@@ -787,13 +970,14 @@ def test_no_identity_ignored(self):
             handler.received_announce(VALID_HASH_BYTES, None, ANNOUNCE_DATA)
             mock_add.assert_not_called()
 
-    def test_already_known_beacon_skipped(self):
+    def test_already_known_beacon_forwarded_for_identity_refresh(self):
         pool = BeaconPool()
         pool.add(VALID_HASH_HEX, connect=False)
         handler = BeaconAnnounceHandler(pool)
         with patch.object(pool, "add_from_announce") as mock_add:
-            handler.received_announce(VALID_HASH_BYTES, _make_mock_identity(), ANNOUNCE_DATA)
-            mock_add.assert_not_called()
+            ident = _make_mock_identity()
+            handler.received_announce(VALID_HASH_BYTES, ident, ANNOUNCE_DATA)
+            mock_add.assert_called_once_with(VALID_HASH_BYTES, ident, label=f"disc:{VALID_HASH_HEX[:12]}...")
 
     def test_aspect_filter_is_none(self):
         assert BeaconAnnounceHandler.aspect_filter is None
@@ -812,6 +996,41 @@ def test_start_reticulum(self):
         _mock_RNS.Reticulum.assert_called_with("/fake/config")
         assert _state.client_identity is not None
 
+    def test_start_reticulum_repairs_transport_identity_after_wait(self):
+        delayed_identity = MagicMock()
+        _mock_RNS.Transport.identity = None
+        _mock_RNS.Identity.return_value = _make_mock_identity()
+
+        def establish_transport(_delay):
+            _mock_RNS.Transport.identity = delayed_identity
+
+        def assert_identity_ready(path):
+            assert _mock_RNS.Transport.identity is delayed_identity
+            assert path == "/fake/config/storage/transport_identity"
+
+        with (
+            patch.object(mesh.time, "sleep", side_effect=establish_transport),
+            patch.object(
+                mesh,
+                "restrict_private_file_permissions",
+                side_effect=assert_identity_ready,
+            ) as restrict,
+        ):
+            mesh.start_reticulum("/fake/config")
+
+        restrict.assert_called_once_with("/fake/config/storage/transport_identity")
+
+    def test_start_reticulum_warns_when_transport_identity_not_ready(self, capsys):
+        _mock_RNS.Transport.identity = None
+        _mock_RNS.Identity.return_value = _make_mock_identity()
+        with (
+            patch.object(mesh.time, "time", side_effect=[0.0, 6.0]),
+            patch.object(mesh, "restrict_private_file_permissions"),
+        ):
+            mesh.start_reticulum("/fake/config")
+
+        assert "Transport identity not ready after 5s" in capsys.readouterr().out
+
     def test_connect_all_parallel(self):
         _state.pool = BeaconPool()
         with patch.object(BeaconLink, "connect", return_value=True):
diff --git a/tests/test_node_helper_sources.py b/tests/test_node_helper_sources.py
new file mode 100644
index 0000000..a94b65a
--- /dev/null
+++ b/tests/test_node_helper_sources.py
@@ -0,0 +1,13 @@
+"""Source regressions for manual Node helper trust boundaries."""
+from pathlib import Path
+
+
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+
+
+def test_init_comp_def_sanitizes_and_bounds_simulation_logs():
+    source = (PROJECT_ROOT / "scripts" / "init_comp_def_once.mjs").read_text()
+
+    assert "terminalSafeText(line)" in source
+    assert "logs.slice(0, MAX_RENDERED_LOG_LINES)" in source
+    assert "more lines omitted" in source
diff --git a/tests/test_node_private_files.py b/tests/test_node_private_files.py
new file mode 100644
index 0000000..7221a7c
--- /dev/null
+++ b/tests/test_node_private_files.py
@@ -0,0 +1,73 @@
+"""Regression tests for Node helper credential-file reads."""
+from __future__ import annotations
+
+import json
+import os
+from pathlib import Path
+import subprocess
+
+
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+PRIVATE_FILE_HELPER = PROJECT_ROOT / "scripts" / "private_file.mjs"
+
+
+def _read_private_text(path: Path) -> subprocess.CompletedProcess:
+    script = (
+        f'import {{ readPrivateTextFileSync }} from {json.dumps(PRIVATE_FILE_HELPER.as_uri())};'
+        'process.stdout.write(readPrivateTextFileSync(process.env.DEST));'
+    )
+    return subprocess.run(
+        ["node", "--input-type=module", "-e", script],
+        env={**os.environ, "DEST": str(path)},
+        text=True,
+        capture_output=True,
+    )
+
+
+def test_node_private_reader_repairs_regular_file_permissions(tmp_path):
+    path = tmp_path / ".env"
+    path.write_text("SECRET=value\n")
+    path.chmod(0o666)
+
+    result = _read_private_text(path)
+
+    assert result.returncode == 0
+    assert result.stdout == "SECRET=value\n"
+    assert path.stat().st_mode & 0o777 == 0o600
+
+
+def test_node_private_reader_refuses_symlink_without_chmod_target(tmp_path):
+    target = tmp_path / "target"
+    target.write_text("SECRET=value\n")
+    target.chmod(0o666)
+    path = tmp_path / ".env"
+    path.symlink_to(target)
+
+    result = _read_private_text(path)
+
+    assert result.returncode != 0
+    assert target.stat().st_mode & 0o777 == 0o666
+
+
+def test_node_private_reader_refuses_non_regular_file(tmp_path):
+    result = _read_private_text(tmp_path)
+
+    assert result.returncode != 0
+
+
+def test_node_private_reader_rejects_oversized_file(tmp_path):
+    path = tmp_path / ".env"
+    path.write_bytes(b"x" * (1024 * 1024 + 1))
+
+    result = _read_private_text(path)
+
+    assert result.returncode != 0
+
+
+def test_node_private_reader_rejects_invalid_utf8(tmp_path):
+    path = tmp_path / ".env"
+    path.write_bytes(b"\xff")
+
+    result = _read_private_text(path)
+
+    assert result.returncode != 0
diff --git a/tests/test_preflight.py b/tests/test_preflight.py
new file mode 100644
index 0000000..8cbc7b3
--- /dev/null
+++ b/tests/test_preflight.py
@@ -0,0 +1,152 @@
+"""Regression tests for headless-node preflight validation."""
+from __future__ import annotations
+
+from argparse import Namespace
+import json
+from unittest.mock import MagicMock, patch
+
+from RNS.vendor.configobj import ConfigObj
+import requests
+
+from scripts import preflight
+from scripts.preflight import Checks, check_optional_transports, check_rpc
+
+
+def args(**overrides) -> Namespace:
+    values = {"ble": False, "rnode": False, "meshtastic": False}
+    values.update(overrides)
+    return Namespace(**values)
+
+
+def config(lines: list[str]) -> ConfigObj:
+    return ConfigObj(lines)
+
+
+def test_comments_do_not_enable_optional_transports():
+    checks = Checks()
+    parsed = config([
+        "[interfaces]",
+        "  # BLEInterface and Meshtastic are documentation only",
+        "  [[TCP]]",
+        "    type = TCPClientInterface",
+        "    enabled = yes",
+    ])
+
+    check_optional_transports(checks, parsed, args())
+
+    assert checks.failures == 0
+
+
+def test_rnode_check_uses_rnode_port_only(tmp_path):
+    serial_port = tmp_path / "ttyUSB0"
+    serial_port.touch()
+    checks = Checks()
+    parsed = config([
+        "[interfaces]",
+        "  [[TCP]]",
+        "    type = TCPClientInterface",
+        "    enabled = yes",
+        "    port = 4242",
+        "  [[Radio]]",
+        "    type = RNodeInterface",
+        "    interface_enabled = True",
+        f"    port = {serial_port}",
+    ])
+
+    check_optional_transports(checks, parsed, args())
+
+    assert checks.failures == 0
+
+
+def test_enabled_ble_interface_fails_until_desktop_adapter_exists():
+    checks = Checks()
+    parsed = config([
+        "[interfaces]",
+        "  [[BLE]]",
+        "    type = BLEInterface",
+        "    enabled = yes",
+    ])
+
+    check_optional_transports(checks, parsed, args())
+
+    assert checks.failures == 1
+
+
+def test_rnode_flag_requires_enabled_interface():
+    checks = Checks()
+    parsed = config([
+        "[interfaces]",
+        "  [[Radio]]",
+        "    type = RNodeInterface",
+        "    enabled = no",
+        "    port = /dev/does-not-matter",
+    ])
+
+    check_optional_transports(checks, parsed, args(rnode=True))
+
+    assert checks.failures == 1
+
+
+def test_rpc_failure_redacts_credentials(capsys):
+    secret_url = "https://user:pass@rpc.example.test/private-token?api-key=secret"
+    checks = Checks()
+    error = requests.exceptions.ConnectionError(f"failed to reach {secret_url}")
+
+    with patch("requests.post", side_effect=error):
+        check_rpc(checks, secret_url)
+
+    output = capsys.readouterr().out
+    assert checks.failures == 1
+    assert "secret" not in output
+    assert "user:pass" not in output
+    assert "https://rpc.example.test/..." in output
+
+
+def test_rpc_rejects_non_object_health_response(capsys):
+    response = MagicMock()
+    response.iter_content.return_value = [json.dumps(["before\x1b[2Jafter"]).encode()]
+    checks = Checks()
+
+    with patch("requests.post", return_value=response):
+        check_rpc(checks, "https://rpc.example.test")
+
+    output = capsys.readouterr().out
+    assert checks.failures == 1
+    assert "unexpected getHealth response" in output
+    assert r"\x1b[2J" in output
+    assert "\x1b[2J" not in output
+
+
+def test_rpc_rejects_oversized_health_response(capsys):
+    response = MagicMock()
+    response.iter_content.return_value = [
+        b"x" * (preflight.MAX_PREFLIGHT_RPC_RESPONSE_BYTES + 1),
+    ]
+    checks = Checks()
+
+    with patch("requests.post", return_value=response) as post:
+        check_rpc(checks, "https://rpc.example.test")
+
+    assert checks.failures == 1
+    assert "getHealth response exceeds size limit" in capsys.readouterr().out
+    assert post.call_args.kwargs["stream"] is True
+    response.close.assert_called_once_with()
+
+
+def test_main_custom_network_requires_rpc_url(monkeypatch, capsys):
+    monkeypatch.delenv("ANONMESH_RPC_URL", raising=False)
+    monkeypatch.setattr(preflight, "parse_args", lambda: Namespace(
+        ble=False,
+        rnode=False,
+        meshtastic=False,
+        config=None,
+        network="custom",
+        rpc=None,
+        skip_rpc=False,
+    ))
+    monkeypatch.setattr(preflight, "check_python", lambda _checks: None)
+    monkeypatch.setattr(preflight, "check_module", lambda *_args: None)
+    monkeypatch.setattr(preflight, "read_config", lambda *_args: {})
+
+    assert preflight.main() == 1
+    assert "Custom network requires --rpc or ANONMESH_RPC_URL" in capsys.readouterr().out
diff --git a/tests/test_rpc.py b/tests/test_rpc.py
index b9698d2..dc36584 100644
--- a/tests/test_rpc.py
+++ b/tests/test_rpc.py
@@ -38,6 +38,10 @@ def test_extract_result_value_none():
     assert rpc._extract_result({"result": {"value": None}}) is None
 
 
+def test_extract_result_non_object_response():
+    assert rpc._extract_result(["not", "an", "object"]) is None
+
+
 # ── get_balance ────────────────────────────────────────────────────────────────
 
 def test_get_balance_value_dict(mock_pool, capsys):
@@ -70,12 +74,44 @@ def test_get_balance_error(mock_pool, capsys):
     assert "invalid base58" in capsys.readouterr().out
 
 
+def test_get_balance_scalar_error(mock_pool, capsys):
+    mock_pool.call.return_value = {"error": "busy"}
+    rpc.get_balance("bad")
+    assert "busy" in capsys.readouterr().out
+
+
 def test_get_balance_none_response(mock_pool, capsys):
     mock_pool.call.return_value = None
     rpc.get_balance("addr1")  # must not raise
     capsys.readouterr()
 
 
+def test_get_balance_malformed_result(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": "not-lamports"}
+    rpc.get_balance("addr1")
+    assert "Unexpected getBalance response" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("lamports", [-1, 1 << 64])
+def test_get_balance_rejects_out_of_range_lamports(mock_pool, capsys, lamports):
+    mock_pool.call.return_value = {"result": lamports}
+    rpc.get_balance("addr1")
+    assert "Unexpected getBalance response" in capsys.readouterr().out
+
+
+# ── confidential_get_balance ──────────────────────────────────────────────────
+
+def test_confidential_balance_fails_closed_without_relaying_address(monkeypatch, mock_pool, capsys):
+    plain_balance = MagicMock()
+    monkeypatch.setattr(rpc, "get_balance", plain_balance)
+
+    rpc.confidential_get_balance("private-address")
+
+    mock_pool.call.assert_not_called()
+    plain_balance.assert_not_called()
+    assert "no MPC query handler is implemented" in capsys.readouterr().out
+
+
 # ── get_slot ───────────────────────────────────────────────────────────────────
 
 def test_get_slot_ok(mock_pool, capsys):
@@ -96,6 +132,12 @@ def test_get_slot_error(mock_pool, capsys):
     assert "RPC error" in capsys.readouterr().out
 
 
+def test_get_slot_malformed_result(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": "not-a-slot"}
+    rpc.get_slot()
+    assert "Unexpected response" in capsys.readouterr().out
+
+
 # ── get_block_height ──────────────────────────────────────────────────────────
 
 def test_get_block_height_ok(mock_pool, capsys):
@@ -110,6 +152,12 @@ def test_get_block_height_none(mock_pool, capsys):
     assert "No response" in capsys.readouterr().out
 
 
+def test_get_block_height_malformed_result(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": "not-a-height"}
+    rpc.get_block_height()
+    assert "Unexpected response" in capsys.readouterr().out
+
+
 # ── get_transaction_count ─────────────────────────────────────────────────────
 
 def test_get_transaction_count_ok(mock_pool, capsys):
@@ -124,6 +172,20 @@ def test_get_transaction_count_none(mock_pool, capsys):
     assert "No response" in capsys.readouterr().out
 
 
+def test_get_transaction_count_malformed_result(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": "not-a-count"}
+    rpc.get_transaction_count()
+    assert "Unexpected response" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("query", [rpc.get_slot, rpc.get_block_height, rpc.get_transaction_count])
+@pytest.mark.parametrize("value", [-1, 1 << 64])
+def test_chain_counters_reject_out_of_range_values(mock_pool, capsys, query, value):
+    mock_pool.call.return_value = {"result": value}
+    query()
+    assert "Unexpected response" in capsys.readouterr().out
+
+
 # ── get_recent_blockhash ──────────────────────────────────────────────────────
 
 def test_get_recent_blockhash_ok(mock_pool, capsys):
@@ -144,6 +206,61 @@ def test_get_recent_blockhash_error(mock_pool):
     assert rpc.get_recent_blockhash() is None
 
 
+def test_get_recent_blockhash_rejects_non_string(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": {"value": {"blockhash": ["not", "a", "string"]}}}
+    assert rpc.get_recent_blockhash() is None
+    assert "Unexpected response" in capsys.readouterr().out
+
+
+# ── wallet detail formatting ──────────────────────────────────────────────────
+
+def test_print_sol_balance_malformed_result(capsys):
+    rpc._print_sol_balance({"result": {"value": "not-lamports"}})
+    assert "Unexpected getBalance response" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("lamports", [-1, 1 << 64])
+def test_print_sol_balance_rejects_out_of_range_lamports(capsys, lamports):
+    rpc._print_sol_balance({"result": {"value": lamports}})
+    assert "Unexpected getBalance response" in capsys.readouterr().out
+
+
+def test_print_spl_tokens_malformed_result(capsys):
+    rpc._print_spl_tokens({"result": {"value": "not-a-list"}})
+    assert "Unexpected getTokenAccountsByOwner response" in capsys.readouterr().out
+
+
+def test_print_spl_tokens_malformed_nested_account(capsys):
+    rpc._print_spl_tokens({"result": {"value": [{"account": {"data": {"parsed": {"info": []}}}}]}})
+    assert "could not parse account" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("decimals", [-1, 256])
+def test_print_spl_tokens_rejects_out_of_range_decimals(capsys, decimals):
+    rpc._print_spl_tokens({"result": {"value": [{"account": {"data": {"parsed": {"info": {
+        "mint": "mint",
+        "tokenAmount": {"decimals": decimals, "uiAmountString": "1"},
+    }}}}}]}})
+    assert "could not parse account" in capsys.readouterr().out
+
+
+def test_print_spl_tokens_caps_rendered_accounts(capsys):
+    account = {"account": {"data": {"parsed": {"info": {
+        "mint": "mint",
+        "tokenAmount": {"decimals": 0, "uiAmountString": "1"},
+    }}}}}
+    rpc._print_spl_tokens({"result": {"value": [account] * 101}})
+    output = capsys.readouterr().out
+    assert output.count(" mint ") == 100
+    assert "1 more accounts omitted" in output
+
+
+def test_get_token_accounts_handles_query_exception(mock_pool, capsys):
+    mock_pool.call.side_effect = RuntimeError("query failed")
+    rpc.get_token_accounts("owner")
+    assert "Wallet detail query failed" in capsys.readouterr().out
+
+
 # ── get_beacon_pubkey ─────────────────────────────────────────────────────────
 
 def test_get_beacon_pubkey_ok(mock_pool):
@@ -162,6 +279,18 @@ def test_get_beacon_pubkey_error(mock_pool, capsys):
     assert "not configured" in capsys.readouterr().out
 
 
+def test_get_beacon_pubkey_scalar_error(mock_pool, capsys):
+    mock_pool.call.return_value = {"error": "busy"}
+    assert rpc.get_beacon_pubkey() is None
+    assert "busy" in capsys.readouterr().out
+
+
+def test_get_beacon_pubkey_rejects_non_string(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": {"not": "a pubkey"}}
+    assert rpc.get_beacon_pubkey() is None
+    assert "Unexpected getBeaconPubkey response" in capsys.readouterr().out
+
+
 # ── cosign_and_send ───────────────────────────────────────────────────────────
 
 def test_cosign_and_send_success(mock_pool, capsys):
@@ -177,11 +306,23 @@ def test_cosign_and_send_error(mock_pool, capsys):
     assert "co-sign rejected" in capsys.readouterr().out
 
 
+def test_cosign_and_send_scalar_error(mock_pool, capsys):
+    mock_pool.call.return_value = {"error": "busy"}
+    assert rpc.cosign_and_send("tx_b64") is None
+    assert "busy" in capsys.readouterr().out
+
+
 def test_cosign_and_send_none_response(mock_pool):
     mock_pool.call.return_value = None
     assert rpc.cosign_and_send("tx_b64") is None
 
 
+def test_cosign_and_send_rejects_non_string_signature(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": {"not": "a signature"}}
+    assert rpc.cosign_and_send("tx_b64") is None
+    assert "Unexpected cosignTransaction response" in capsys.readouterr().out
+
+
 def test_cosign_and_send_arcium_meta_forwarded(mock_pool):
     mock_pool.call.return_value = {"result": "SIG"}
     rpc.cosign_and_send("tx_b64", arcium_meta={"amount": 1000, "mint": "ABC"})
@@ -210,12 +351,24 @@ def test_send_transaction_error(mock_pool, capsys):
     assert "blockhash expired" in capsys.readouterr().out
 
 
+def test_send_transaction_scalar_error(mock_pool, capsys):
+    mock_pool.call.return_value = {"error": "busy"}
+    rpc.send_transaction("b64tx")
+    assert "busy" in capsys.readouterr().out
+
+
 def test_send_transaction_none(mock_pool, capsys):
     mock_pool.call.return_value = None
     rpc.send_transaction("b64tx")  # must not raise
     capsys.readouterr()
 
 
+def test_send_transaction_rejects_non_string_signature(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": ["not", "a signature"]}
+    rpc.send_transaction("b64tx")
+    assert "Unexpected sendTransaction response" in capsys.readouterr().out
+
+
 # ── simulate_transaction ──────────────────────────────────────────────────────
 
 def test_simulate_transaction_success(mock_pool, capsys):
@@ -234,6 +387,51 @@ def test_simulate_transaction_error(mock_pool, capsys):
     assert "Simulation error" in capsys.readouterr().out
 
 
+def test_simulate_transaction_malformed_result(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": {"value": "not-an-object"}}
+    rpc.simulate_transaction("b64tx")
+    assert "Unexpected simulateTransaction response" in capsys.readouterr().out
+
+
+def test_simulate_transaction_malformed_logs(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": {"value": {"err": None, "logs": "not-a-list"}}}
+    rpc.simulate_transaction("b64tx")
+    assert "Unexpected simulateTransaction logs" in capsys.readouterr().out
+
+
+def test_simulate_transaction_rpc_error(mock_pool, capsys):
+    mock_pool.call.return_value = {"error": "busy"}
+    rpc.simulate_transaction("b64tx")
+    assert "Simulation rejected: busy" in capsys.readouterr().out
+
+
+def test_simulate_transaction_rejects_non_string_log(mock_pool, capsys):
+    mock_pool.call.return_value = {"result": {"value": {"err": None, "logs": [{"bad": "log"}]}}}
+    rpc.simulate_transaction("b64tx")
+    assert "Unexpected simulateTransaction logs" in capsys.readouterr().out
+
+
+def test_simulate_transaction_escapes_terminal_control_bytes(mock_pool, capsys):
+    mock_pool.call.return_value = {
+        "result": {"value": {"err": None, "logs": ["before\x1b[2Jafter"]}}
+    }
+    rpc.simulate_transaction("b64tx")
+    output = capsys.readouterr().out
+    assert r"before\x1b[2Jafter" in output
+    assert "\x1b[2J" not in output
+
+
+def test_simulate_transaction_caps_rendered_logs(mock_pool, capsys):
+    mock_pool.call.return_value = {
+        "result": {"value": {"err": None, "logs": [f"log-{index}" for index in range(101)]}}
+    }
+    rpc.simulate_transaction("b64tx")
+    output = capsys.readouterr().out
+    assert "log-99" in output
+    assert "log-100" not in output
+    assert "1 simulation log lines omitted" in output
+
+
 # ── get_nonce_account ─────────────────────────────────────────────────────────
 
 _NONCE_RESP = {
@@ -283,3 +481,24 @@ def test_get_nonce_account_none_response(mock_pool, capsys):
 def test_get_nonce_account_rpc_error(mock_pool, capsys):
     mock_pool.call.return_value = {"error": "connection refused"}
     assert rpc.get_nonce_account("NONCE_PUBKEY") is None
+
+
+def test_get_nonce_account_rejects_non_string_fields(mock_pool, capsys):
+    mock_pool.call.return_value = {
+        "result": {"value": {"data": {"parsed": {
+            "type": "initialized",
+            "info": {"blockhash": ["not", "a", "string"], "authority": "AUTHORITY"},
+        }}}}
+    }
+    assert rpc.get_nonce_account("NONCE_PUBKEY") is None
+    assert "nonce blockhash and authority must be strings" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("parsed, error", [
+    ([], "parsed nonce data must be an object"),
+    ({"type": "initialized", "info": []}, "nonce info must be an object"),
+])
+def test_get_nonce_account_rejects_non_object_fields(mock_pool, capsys, parsed, error):
+    mock_pool.call.return_value = {"result": {"value": {"data": {"parsed": parsed}}}}
+    assert rpc.get_nonce_account("NONCE_PUBKEY") is None
+    assert error in capsys.readouterr().out
diff --git a/tests/test_setup_launchers.py b/tests/test_setup_launchers.py
new file mode 100644
index 0000000..3c0ea4c
--- /dev/null
+++ b/tests/test_setup_launchers.py
@@ -0,0 +1,182 @@
+"""Regression tests for launchers generated by setup.sh."""
+from __future__ import annotations
+
+import os
+from pathlib import Path
+import subprocess
+
+import pytest
+
+
+PROJECT_ROOT = Path(__file__).resolve().parent.parent
+SETUP = PROJECT_ROOT / "setup.sh"
+
+
+def _write_client_launcher(tmp_path: Path) -> Path:
+    setup = SETUP.read_text()
+    marker = 'atomic_private_write "$SCRIPT_DIR/run_client.sh" 700 << LAUNCHER\n'
+    launcher = setup.split(marker, 1)[1].split("\nLAUNCHER", 1)[0].replace(r"\$", "$")
+    path = tmp_path / "run_client.sh"
+    path.write_text(launcher)
+    path.chmod(0o700)
+    (tmp_path / "venv" / "bin").mkdir(parents=True)
+    (tmp_path / "venv" / "bin" / "activate").write_text("")
+    return path
+
+
+def _setup_helpers() -> str:
+    return SETUP.read_text().split("# ── Defaults", 1)[0]
+
+
+def _run_helper(command: str, destination: Path) -> subprocess.CompletedProcess:
+    return subprocess.run(
+        ["bash", "-c", f"{_setup_helpers()}\n{command}"],
+        env={**os.environ, "DEST": str(destination)},
+        text=True,
+        capture_output=True,
+    )
+
+
+def test_atomic_private_write_refuses_symlink(tmp_path):
+    target = tmp_path / "target"
+    target.write_text("old")
+    destination = tmp_path / "output"
+    destination.symlink_to(target)
+
+    result = _run_helper("printf new | atomic_private_write \"$DEST\" 600", destination)
+
+    assert result.returncode != 0
+    assert target.read_text() == "old"
+
+
+def test_atomic_private_write_replaces_hardlink_without_modifying_sibling(tmp_path):
+    destination = tmp_path / "output"
+    destination.write_text("old")
+    sibling = tmp_path / "sibling"
+    os.link(destination, sibling)
+
+    result = _run_helper("printf new | atomic_private_write \"$DEST\" 600", destination)
+
+    assert result.returncode == 0
+    assert destination.read_text() == "new"
+    assert sibling.read_text() == "old"
+
+
+def test_atomic_private_append_replaces_hardlink_without_modifying_sibling(tmp_path):
+    destination = tmp_path / "output"
+    destination.write_text("old")
+    sibling = tmp_path / "sibling"
+    os.link(destination, sibling)
+
+    result = _run_helper("printf new | atomic_private_append \"$DEST\" 600", destination)
+
+    assert result.returncode == 0
+    assert destination.read_text() == "oldnew"
+    assert sibling.read_text() == "old"
+
+
+def test_atomic_private_append_refuses_symlink(tmp_path):
+    target = tmp_path / "target"
+    target.write_text("old")
+    destination = tmp_path / "output"
+    destination.symlink_to(target)
+
+    result = _run_helper("printf new | atomic_private_append \"$DEST\" 600", destination)
+
+    assert result.returncode != 0
+    assert target.read_text() == "old"
+
+
+def test_systemd_escape_path_escapes_spaces_and_percents(tmp_path):
+    destination = tmp_path / "before space%done"
+
+    result = _run_helper('systemd_escape_path "$DEST"', destination)
+
+    expected = (
+        str(destination)
+        .replace(" ", r"\x20")
+        .replace("%", "%%")
+    )
+    assert result.returncode == 0
+    assert result.stdout == expected
+
+
+@pytest.mark.parametrize("name", ['before"after', "before\\after", "before\nafter"])
+def test_systemd_escape_path_rejects_unsupported_characters(tmp_path, name):
+    result = _run_helper('systemd_escape_path "$DEST"', tmp_path / name)
+
+    assert result.returncode != 0
+    assert "Cannot write systemd service" in result.stdout
+
+
+def test_config_value_is_safe_accepts_serial_path(tmp_path):
+    result = _run_helper('config_value_is_safe "$DEST"', tmp_path / "ttyUSB0")
+
+    assert result.returncode == 0
+
+
+@pytest.mark.parametrize("name", ["before\nafter", "before\rafter", "before\x1bafter"])
+def test_config_value_is_safe_rejects_control_characters(tmp_path, name):
+    result = _run_helper('config_value_is_safe "$DEST"', tmp_path / name)
+
+    assert result.returncode != 0
+
+
+def test_rnode_environment_port_is_validated_before_rendering():
+    setup = SETUP.read_text()
+
+    assert setup.index('! config_value_is_safe "$RNODE_PORT"') < setup.index("Using RNode serial device")
+
+
+def test_rnode_selected_port_is_validated_before_config_append():
+    setup = SETUP.read_text()
+
+    assert setup.rindex('! config_value_is_safe "$RNODE_PORT"') > setup.index('RNODE_PORT="$manual_port"')
+    assert setup.rindex('! config_value_is_safe "$RNODE_PORT"') < setup.index('port              = ${RNODE_PORT}')
+
+
+def test_setup_inline_python_receives_filesystem_paths_through_env():
+    setup = SETUP.read_text()
+
+    assert 'ANONMESH_RNS_CONFIG_FILE="$RNS_CONFIG_FILE" python -c' in setup
+    assert 'open(os.environ["ANONMESH_RNS_CONFIG_FILE"])' in setup
+    assert 'ANONMESH_SCRIPT_DIR="$SCRIPT_DIR" python -c' in setup
+    assert 'sys.path.insert(0, os.environ["ANONMESH_SCRIPT_DIR"])' in setup
+    assert "open('$RNS_CONFIG_FILE')" not in setup
+    assert "sys.path.insert(0, '$SCRIPT_DIR')" not in setup
+
+
+def test_client_launcher_preserves_hex_looking_option_value(tmp_path):
+    launcher = _write_client_launcher(tmp_path)
+    capture = tmp_path / "args"
+    bin_dir = tmp_path / "bin"
+    bin_dir.mkdir()
+    fake_python = bin_dir / "python"
+    fake_python.write_text(
+        "#!/usr/bin/env bash\n"
+        "printf '%s\\n' \"$@\" > \"$ANONMESH_CAPTURE\"\n"
+    )
+    fake_python.chmod(0o700)
+    beacon_hash = "a" * 32
+    transaction = "b" * 64
+
+    subprocess.run(
+        [str(launcher), beacon_hash, "--send-tx", transaction],
+        check=True,
+        env={
+            **os.environ,
+            "ANONMESH_CAPTURE": str(capture),
+            "PATH": f"{bin_dir}:{os.environ['PATH']}",
+        },
+    )
+
+    assert capture.read_text().splitlines() == [
+        str(tmp_path / "client.py"),
+        "--beacon",
+        beacon_hash,
+        "--discover",
+        "--strategy",
+        "race",
+        "--send-tx",
+        transaction,
+    ]
diff --git a/tests/test_setup_nonce_bootstrap.py b/tests/test_setup_nonce_bootstrap.py
new file mode 100644
index 0000000..1c1c0f8
--- /dev/null
+++ b/tests/test_setup_nonce_bootstrap.py
@@ -0,0 +1,127 @@
+"""Regression tests for the nonce bootstrap embedded in setup.sh."""
+
+import json
+import os
+from pathlib import Path
+
+import pytest
+
+
+SETUP = Path(__file__).parents[1] / "setup.sh"
+
+
+def _nonce_bootstrap() -> str:
+    setup = SETUP.read_text()
+    marker = '          ANON0MESH_KP_PATH="$WALLET_KEYPAIR_PATH" \\\n'
+    nonce_setup = setup.split(marker, 1)[1]
+    return nonce_setup.split("python << 'PYEOF'\n", 1)[1].split("\nPYEOF", 1)[0]
+
+
+def _wallet_bootstrap() -> str:
+    setup = SETUP.read_text()
+    marker = '        if ANON0MESH_KP_PATH="$WALLET_KEYPAIR_PATH" python << \'PYEOF\'\n'
+    return setup.split(marker, 1)[1].split("\nPYEOF", 1)[0]
+
+
+def test_nonce_bootstrap_compiles():
+    compile(_nonce_bootstrap(), "<setup nonce bootstrap>", "exec")
+
+
+def test_wallet_bootstrap_compiles():
+    compile(_wallet_bootstrap(), "<setup wallet bootstrap>", "exec")
+
+
+class _Response:
+    def __init__(self, chunks):
+        self.chunks = chunks
+        self.closed = False
+
+    def raise_for_status(self):
+        pass
+
+    def iter_content(self, chunk_size):
+        assert chunk_size == 64 * 1024
+        yield from self.chunks
+
+    def close(self):
+        self.closed = True
+
+
+class _Requests:
+    def __init__(self, response):
+        self.response = response
+        self.kwargs = None
+
+    def post(self, *args, **kwargs):
+        self.kwargs = kwargs
+        return self.response
+
+
+def _rpc_with(response, monkeypatch, tmp_path):
+    monkeypatch.setenv("ANON0MESH_RPC", "https://example.invalid")
+    monkeypatch.setenv("ANON0MESH_DIR", str(tmp_path))
+    namespace = {}
+    bootstrap = _nonce_bootstrap()
+    exec(bootstrap.split("\ndef require_u64", 1)[0], namespace)
+    requests = _Requests(response)
+    namespace["requests"] = requests
+    return namespace["rpc"], requests
+
+
+def test_nonce_bootstrap_rpc_streams_bounded_response_and_closes(monkeypatch, tmp_path):
+    response = _Response([json.dumps({"result": "ok"}).encode()])
+    rpc, requests = _rpc_with(response, monkeypatch, tmp_path)
+
+    assert rpc("getHealth", []) == "ok"
+    assert requests.kwargs["stream"] is True
+    assert response.closed is True
+
+
+def test_nonce_bootstrap_rpc_rejects_oversized_response_and_closes(monkeypatch, tmp_path):
+    response = _Response([b"x" * (1024 * 1024 + 1)])
+    rpc, _requests = _rpc_with(response, monkeypatch, tmp_path)
+
+    with pytest.raises(RuntimeError, match="response exceeds size limit"):
+        rpc("getHealth", [])
+    assert response.closed is True
+
+
+def test_wallet_bootstrap_replaces_hardlink_without_modifying_sibling(tmp_path, monkeypatch):
+    sibling = tmp_path / "keep.txt"
+    sibling.write_text("keep")
+    path = tmp_path / "wallet.json"
+    os.link(sibling, path)
+    monkeypatch.setenv("ANON0MESH_KP_PATH", str(path))
+
+    exec(_wallet_bootstrap(), {})
+
+    assert sibling.read_text() == "keep"
+    assert path.read_text() != "keep"
+    assert path.stat().st_ino != sibling.stat().st_ino
+
+
+def test_nonce_bootstrap_save_replaces_hardlink_without_modifying_sibling(tmp_path, monkeypatch):
+    sibling = tmp_path / "keep.txt"
+    sibling.write_text("keep")
+    path = tmp_path / "nonce.json"
+    os.link(sibling, path)
+    monkeypatch.setenv("ANON0MESH_RPC", "https://example.invalid")
+    monkeypatch.setenv("ANON0MESH_DIR", str(tmp_path))
+    namespace = {}
+    exec(_nonce_bootstrap().split("\nnonce_path = None", 1)[0], namespace)
+
+    namespace["save_keypair"](str(path), namespace["Keypair"]())
+
+    assert sibling.read_text() == "keep"
+    assert path.read_text() != "keep"
+    assert path.stat().st_ino != sibling.stat().st_ino
+
+
+def test_nonce_bootstrap_preserves_keypair_after_uncertain_submission():
+    bootstrap = _nonce_bootstrap()
+
+    assert bootstrap.index("submitted = False") < bootstrap.index("\ntry:\n    payer =")
+    assert bootstrap.index("submitted = True") < bootstrap.index('rpc("sendTransaction"')
+    assert "if submitted:" in bootstrap
+    assert "transaction submission status is unknown; preserving nonce keypair" in bootstrap
+    assert "elif nonce_path is not None:" in bootstrap
diff --git a/tests/test_shared.py b/tests/test_shared.py
index c85970d..3408817 100644
--- a/tests/test_shared.py
+++ b/tests/test_shared.py
@@ -3,6 +3,13 @@
 """
 
 import json
+import os
+import stat
+import zlib
+from pathlib import Path
+
+import pytest
+
 import shared
 
 
@@ -52,6 +59,12 @@ def test_build_response_error():
     assert "result" not in payload
 
 
+def test_build_response_empty_error_is_still_error():
+    payload = json.loads(shared.build_response(error=""))
+    assert payload["error"]["message"] == ""
+    assert "result" not in payload
+
+
 def test_build_response_req_id():
     payload = json.loads(shared.build_response(result=1, req_id=99))
     assert payload["id"] == 99
@@ -73,6 +86,266 @@ def test_decode_json_nested():
     assert shared.decode_json(json.dumps(data).encode()) == data
 
 
+@pytest.mark.parametrize("response", [
+    b"not-json",
+    b"[]",
+    b"{}",
+    b'{"result": 1, "error": "bad"}',
+])
+def test_decode_rpc_response_rejects_malformed_response(response):
+    with pytest.raises((json.JSONDecodeError, ValueError)):
+        shared.decode_rpc_response(response)
+
+
+def test_decode_rpc_response_accepts_single_result():
+    assert shared.decode_rpc_response(b'{"result": 42}') == {"result": 42}
+
+
+# ── redact_url ────────────────────────────────────────────────────────────────
+
+def test_redact_url_hides_query_credentials_and_path_tokens():
+    url = "https://user:pass@rpc.example.test/private-token?api-key=secret#fragment"
+    assert shared.redact_url(url) == "https://rpc.example.test/..."
+
+
+def test_redact_url_preserves_safe_host_and_port():
+    assert shared.redact_url("https://rpc.example.test:8899") == "https://rpc.example.test:8899"
+
+
+def test_redact_url_formats_ipv6_host():
+    assert shared.redact_url("http://[::1]:8899/token") == "http://[::1]:8899/..."
+
+
+def test_redact_url_rejects_non_url_values():
+    assert shared.redact_url("not-a-url") == "<redacted-rpc-url>"
+
+
+def test_redact_url_rejects_none():
+    assert shared.redact_url(None) == "<redacted-rpc-url>"
+
+
+def test_redact_urls_hides_embedded_credentials_and_path_tokens():
+    text = "request to https://user:pass@rpc.example.test/private?api-key=secret failed"
+    assert shared.redact_urls(text) == "request to https://rpc.example.test/... failed"
+
+
+# ── rpc_error_message ─────────────────────────────────────────────────────────
+
+def test_rpc_error_message_extracts_object_message():
+    assert shared.rpc_error_message({"message": "busy"}) == "busy"
+
+
+def test_rpc_error_message_accepts_scalar_error():
+    assert shared.rpc_error_message("busy") == "busy"
+
+
+def test_terminal_safe_text_escapes_control_bytes():
+    assert shared.terminal_safe_text("before\x1b[2J\nafter") == r"before\x1b[2J\x0aafter"
+
+
+def test_terminal_safe_text_truncates_long_values():
+    assert shared.terminal_safe_text("x" * 10, max_length=4) == "xxxx... [truncated]"
+
+
+# ── numeric parsing ───────────────────────────────────────────────────────────
+
+def test_positive_int_accepts_positive_value():
+    assert shared.positive_int("15") == 15
+
+
+@pytest.mark.parametrize("value", ["0", "-1", "not-a-number"])
+def test_positive_int_rejects_non_positive_or_invalid_value(value):
+    with pytest.raises(ValueError):
+        shared.positive_int(value)
+
+
+@pytest.mark.parametrize("value", [0, (1 << 64) - 1])
+def test_is_u64_accepts_bounds(value):
+    assert shared.is_u64(value)
+
+
+@pytest.mark.parametrize("value", [-1, 1 << 64, True, 1.0, "1"])
+def test_is_u64_rejects_out_of_range_or_non_integer_values(value):
+    assert not shared.is_u64(value)
+
+
+# ── private local files ───────────────────────────────────────────────────────
+
+def test_restrict_private_file_permissions_repairs_existing_file(tmp_path):
+    path = tmp_path / "identity"
+    path.write_text("secret")
+    path.chmod(0o666)
+    shared.restrict_private_file_permissions(str(path))
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+
+
+def test_restrict_private_file_permissions_ignores_symlink_without_chmod_target(tmp_path):
+    target = tmp_path / "target"
+    target.write_text("secret")
+    target.chmod(0o666)
+    path = tmp_path / "identity"
+    path.symlink_to(target)
+
+    assert not shared.restrict_private_file_permissions(path)
+    assert stat.S_IMODE(target.stat().st_mode) == 0o666
+
+
+def test_read_private_file_refuses_fifo(tmp_path):
+    path = tmp_path / "identity"
+    os.mkfifo(path)
+
+    with pytest.raises(OSError, match="Refusing non-regular private file"):
+        shared.read_private_file(path)
+
+
+def test_read_private_file_rejects_oversized_file(tmp_path):
+    path = tmp_path / "identity"
+    path.write_bytes(b"x" * 5)
+
+    with pytest.raises(OSError, match="Private file exceeds 4 byte limit"):
+        shared.read_private_file(path, max_bytes=4)
+
+
+def test_save_private_identity_uses_owner_only_permissions(tmp_path):
+    path = tmp_path / "identity"
+
+    class FakeIdentity:
+        def to_file(self, output_path):
+            Path(output_path).write_text("secret")
+
+    shared.save_private_identity(FakeIdentity(), str(path))
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+
+
+def test_save_private_identity_replaces_symlink_without_touching_target(tmp_path):
+    target = tmp_path / "keep.txt"
+    target.write_text("keep")
+    path = tmp_path / "identity"
+    path.symlink_to(target)
+
+    class FakeIdentity:
+        def to_file(self, output_path):
+            Path(output_path).write_text("secret")
+
+    shared.save_private_identity(FakeIdentity(), str(path))
+
+    assert not path.is_symlink()
+    assert path.read_text() == "secret"
+    assert target.read_text() == "keep"
+
+
+def test_save_private_identity_cleans_up_failed_temporary_file(tmp_path):
+    path = tmp_path / "identity"
+
+    class FailedIdentity:
+        def to_file(self, output_path):
+            return False
+
+    with pytest.raises(OSError, match="Could not save RNS identity"):
+        shared.save_private_identity(FailedIdentity(), str(path))
+
+    assert not path.exists()
+    assert list(tmp_path.iterdir()) == []
+
+
+def test_load_dotenv_private_repairs_permissions_and_preserves_existing_env(
+    tmp_path, monkeypatch,
+):
+    path = tmp_path / ".env"
+    path.write_text("NEW_TEST_VALUE=loaded\nEXISTING_TEST_VALUE=from-file\n")
+    path.chmod(0o666)
+    monkeypatch.delenv("NEW_TEST_VALUE", raising=False)
+    monkeypatch.setenv("EXISTING_TEST_VALUE", "from-process")
+
+    shared.load_dotenv_private(path)
+
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+    assert os.environ["NEW_TEST_VALUE"] == "loaded"
+    assert os.environ["EXISTING_TEST_VALUE"] == "from-process"
+
+
+def test_load_dotenv_private_skips_invalid_entries(tmp_path, monkeypatch):
+    path = tmp_path / ".env"
+    path.write_text("=empty-key\nINVALID-NAME=value\nNUL_VALUE=bad\x00value\nVALID_NAME=loaded\n")
+    monkeypatch.delenv("VALID_NAME", raising=False)
+
+    shared.load_dotenv_private(path)
+
+    assert os.environ["VALID_NAME"] == "loaded"
+    assert "INVALID-NAME" not in os.environ
+    assert "NUL_VALUE" not in os.environ
+
+
+def test_load_dotenv_private_skips_symlink_without_chmod_target(tmp_path, monkeypatch, capsys):
+    target = tmp_path / "target.env"
+    target.write_text("SYMLINKED_TEST_VALUE=loaded\n")
+    target.chmod(0o666)
+    path = tmp_path / ".env"
+    path.symlink_to(target)
+    monkeypatch.delenv("SYMLINKED_TEST_VALUE", raising=False)
+
+    shared.load_dotenv_private(path)
+
+    assert "SYMLINKED_TEST_VALUE" not in os.environ
+    assert stat.S_IMODE(target.stat().st_mode) == 0o666
+    assert "Could not load private env file" in capsys.readouterr().out
+
+
+# ── response compression ──────────────────────────────────────────────────────
+
+def test_read_limited_http_body_assembles_streamed_chunks():
+    class Response:
+        def iter_content(self, chunk_size):
+            assert chunk_size == 64 * 1024
+            return iter([b"first", b"", b"-second"])
+
+    assert shared.read_limited_http_body(Response(), 12) == b"first-second"
+
+
+def test_read_limited_http_body_stops_at_size_limit():
+    consumed = []
+
+    class Response:
+        def iter_content(self, chunk_size):
+            for chunk in (b"1234", b"5", b"must-not-read"):
+                consumed.append(chunk)
+                yield chunk
+
+    with pytest.raises(shared.ResponseSizeLimitError, match="4 byte limit"):
+        shared.read_limited_http_body(Response(), 4)
+
+    assert consumed == [b"1234", b"5"]
+
+
+def test_compressed_response_roundtrip():
+    raw = b"repeated payload " * 100
+    assert shared.decompress_response(shared.compress_response(raw)) == raw
+
+
+def test_decompress_response_rejects_expansion_over_limit():
+    raw = b"x" * (shared.MAX_MESH_RESPONSE_BYTES + 1)
+    compressed = shared._COMPRESS_MAGIC + zlib.compress(raw)
+    with pytest.raises(ValueError, match="expanded size limit"):
+        shared.decompress_response(compressed)
+
+
+def test_decompress_response_rejects_oversized_uncompressed_payload():
+    with pytest.raises(ValueError, match="Response exceeds size limit"):
+        shared.decompress_response(b"x" * (shared.MAX_MESH_RESPONSE_BYTES + 1))
+
+
+def test_decompress_response_rejects_truncated_compressed_payload():
+    compressed = shared._COMPRESS_MAGIC + zlib.compress(b"payload" * 100)
+    with pytest.raises(ValueError, match="malformed"):
+        shared.decompress_response(compressed[:-1])
+
+
+def test_decompress_response_rejects_trailing_compressed_payload():
+    compressed = shared._COMPRESS_MAGIC + zlib.compress(b"payload") + b"trailing"
+    with pytest.raises(ValueError, match="malformed"):
+        shared.decompress_response(compressed)
+
+
 # ── quiet mode ─────────────────────────────────────────────────────────────────
 
 def test_log_info_visible_by_default(capsys):
@@ -137,3 +410,10 @@ def test_log_err_contains_cross(capsys):
 def test_log_warn_contains_warning_symbol(capsys):
     shared.log_warn("watch out")
     assert "⚠" in capsys.readouterr().out
+
+
+def test_log_warn_escapes_terminal_control_bytes(capsys):
+    shared.log_warn("before\x1b[2Jafter")
+    output = capsys.readouterr().out
+    assert r"before\x1b[2Jafter" in output
+    assert "\x1b[2J" not in output
diff --git a/tests/test_tcp_bridge.py b/tests/test_tcp_bridge.py
index 88e3b17..f412743 100644
--- a/tests/test_tcp_bridge.py
+++ b/tests/test_tcp_bridge.py
@@ -20,14 +20,15 @@
 import signal
 import subprocess
 
-RELAY_CONFIG = os.path.join(os.path.dirname(__file__), "..", "..", "config", "relay")
-EXIT_CONFIG = os.path.join(os.path.dirname(__file__), "..", "..", "config", "exit")
-EXIT_NODE_SCRIPT = os.path.join(os.path.dirname(__file__), "exit_node.py")
 PROJECT_ROOT = os.path.join(os.path.dirname(__file__), "..")
+RELAY_CONFIG = os.path.join(PROJECT_ROOT, "config", "tcp_bridge", "relay")
+EXIT_CONFIG = os.path.join(PROJECT_ROOT, "config", "tcp_bridge", "exit")
+EXIT_NODE_SCRIPT = os.path.join(PROJECT_ROOT, "scripts", "exit_node.py")
+RNSD_EXECUTABLE = os.path.join(os.path.dirname(sys.executable), "rnsd")
 
 # Validate paths
 for path, label in [(RELAY_CONFIG, "relay config"), (EXIT_CONFIG, "exit config"),
-                     (EXIT_NODE_SCRIPT, "exit_node.py")]:
+                     (EXIT_NODE_SCRIPT, "exit_node.py"), (RNSD_EXECUTABLE, "rnsd")]:
     resolved = os.path.realpath(path)
     if not os.path.exists(resolved):
         print(f"FATAL: {label} not found at {resolved}")
@@ -56,6 +57,7 @@ def log_warn(msg): log("!", YELLOW, msg)
 
 
 def main():
+    os.umask(0o077)
     procs = []
 
     def cleanup():
@@ -84,7 +86,7 @@ def sighandler(sig, frame):
     # ── Step 1: Start relay rnsd ──────────────────────────────────────────────
     log_info(f"Starting relay rnsd (config: {RELAY_CONFIG})")
     relay_proc = subprocess.Popen(
-        ["rnsd", "--config", RELAY_CONFIG],
+        [RNSD_EXECUTABLE, "--config", RELAY_CONFIG],
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
     )
     procs.append(relay_proc)
@@ -102,7 +104,7 @@ def sighandler(sig, frame):
     # ── Step 2: Start exit rnsd ───────────────────────────────────────────────
     log_info(f"Starting exit rnsd (config: {EXIT_CONFIG})")
     exit_rnsd = subprocess.Popen(
-        ["rnsd", "--config", EXIT_CONFIG],
+        [RNSD_EXECUTABLE, "--config", EXIT_CONFIG],
         stdout=subprocess.PIPE, stderr=subprocess.STDOUT,
     )
     procs.append(exit_rnsd)
@@ -146,13 +148,13 @@ def sighandler(sig, frame):
     # announce, establishes a link through the TCP bridge, and sends an RPC request.
     client_code = f'''
 import sys, os, time, json
-sys.path.insert(0, "{os.path.realpath(PROJECT_ROOT)}")
+sys.path.insert(0, {os.path.realpath(PROJECT_ROOT)!r})
 import RNS
 from shared import APP_NAME, APP_ASPECT, RPC_PATH, ANNOUNCE_DATA, build_rpc, decompress_response
 
 try:
     # Connect to relay instance
-    r = RNS.Reticulum("{RELAY_CONFIG}")
+    r = RNS.Reticulum({RELAY_CONFIG!r})
     time.sleep(2)
 
     print("CLIENT: Reticulum connected to relay instance")
@@ -265,7 +267,7 @@ def received_announce(self, destination_hash, announced_identity, app_data):
             prefix = "CLIENT" if text.startswith("CLIENT:") else "      "
             if "SUCCESS" in text:
                 log_ok(text.replace("CLIENT: ", ""))
-            elif "FAIL" in text:
+            elif text.startswith("CLIENT: FAIL"):
                 log_err(text.replace("CLIENT: ", ""))
             else:
                 log_info(text.replace("CLIENT: ", ""))
diff --git a/tests/test_tcp_bridge_source.py b/tests/test_tcp_bridge_source.py
new file mode 100644
index 0000000..26160ae
--- /dev/null
+++ b/tests/test_tcp_bridge_source.py
@@ -0,0 +1,14 @@
+"""Regression tests for the generated TCP bridge client program."""
+from pathlib import Path
+
+
+TCP_BRIDGE = Path(__file__).parents[1] / "tests" / "test_tcp_bridge.py"
+
+
+def test_generated_client_embeds_paths_as_python_literals():
+    source = TCP_BRIDGE.read_text()
+
+    assert "sys.path.insert(0, {os.path.realpath(PROJECT_ROOT)!r})" in source
+    assert "r = RNS.Reticulum({RELAY_CONFIG!r})" in source
+    assert 'sys.path.insert(0, "{os.path.realpath(PROJECT_ROOT)}")' not in source
+    assert 'r = RNS.Reticulum("{RELAY_CONFIG}")' not in source
diff --git a/tests/test_wallet.py b/tests/test_wallet.py
index f305613..436f438 100644
--- a/tests/test_wallet.py
+++ b/tests/test_wallet.py
@@ -5,9 +5,13 @@
 
 import json
 import base64
+import os
+import stat
 from pathlib import Path
+from unittest.mock import patch, MagicMock
 
 import pytest
+import beacon as beacon_module
 import state
 import wallet
 
@@ -16,9 +20,11 @@
 )
 
 from solders.keypair import Keypair
+from solders.transaction import Transaction
 
 # A known valid base58 Hash string (all 1s — the default/zero hash)
 ZERO_HASH = "11111111111111111111111111111111"
+MXE_PUBKEY_HEX = "00" * 32
 
 
 def _write_keypair(path: Path) -> Keypair:
@@ -27,6 +33,46 @@ def _write_keypair(path: Path) -> Keypair:
     return kp
 
 
+def _arcium_accounts() -> dict[str, str]:
+    return {
+        name: str(Keypair().pubkey())
+        for name in (
+            "mxeAccount",
+            "compDefAccount",
+            "mempoolAccount",
+            "executingPool",
+            "computationAccount",
+            "clusterAccount",
+            "poolAccount",
+            "clockAccount",
+        )
+    }
+
+
+def test_load_private_keypair_repairs_permissions(tmp_path):
+    path = tmp_path / "legacy.json"
+    expected = _write_keypair(path)
+    path.chmod(0o666)
+
+    loaded = wallet._load_private_keypair(path)
+
+    assert loaded.pubkey() == expected.pubkey()
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+
+
+def test_load_private_keypair_refuses_symlink_without_chmod_target(tmp_path):
+    target = tmp_path / "target.json"
+    _write_keypair(target)
+    target.chmod(0o666)
+    path = tmp_path / "wallet.json"
+    path.symlink_to(target)
+
+    with pytest.raises(OSError, match="Refusing symlinked keypair path"):
+        wallet._load_private_keypair(path)
+
+    assert stat.S_IMODE(target.stat().st_mode) == 0o666
+
+
 # ── generate_wallet ───────────────────────────────────────────────────────────
 
 def test_generate_wallet_creates_file(tmp_path):
@@ -61,12 +107,74 @@ def test_generate_wallet_keypair_is_valid(tmp_path):
     assert str(kp.pubkey()) == state.active_wallet["pubkey"]
 
 
+def test_generate_wallet_permissions_owner_only(tmp_path):
+    path = tmp_path / "w.json"
+    path.write_text("existing file with permissive mode")
+    path.chmod(0o666)
+    wallet.generate_wallet(str(path))
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+
+
 def test_generate_wallet_bad_path(capsys):
     result = wallet.generate_wallet("/nonexistent_dir/wallet.json")
     assert result is None
     assert "Failed to save" in capsys.readouterr().out
 
 
+def test_generate_wallet_refuses_symlink_target(tmp_path, capsys):
+    target = tmp_path / "keep.txt"
+    target.write_text("keep")
+    path = tmp_path / "wallet.json"
+    path.symlink_to(target)
+
+    result = wallet.generate_wallet(str(path))
+
+    assert result is None
+    assert target.read_text() == "keep"
+    assert "Failed to save" in capsys.readouterr().out
+
+
+def test_generate_wallet_refuses_fifo_target(tmp_path, capsys):
+    path = tmp_path / "wallet.json"
+    os.mkfifo(path)
+
+    assert wallet.generate_wallet(str(path)) is None
+    assert "Failed to save" in capsys.readouterr().out
+
+
+def test_generate_wallet_replaces_hardlink_without_modifying_sibling(tmp_path):
+    sibling = tmp_path / "keep.txt"
+    sibling.write_text("keep")
+    path = tmp_path / "wallet.json"
+    os.link(sibling, path)
+
+    assert wallet.generate_wallet(str(path)) == str(path)
+
+    assert sibling.read_text() == "keep"
+    assert path.read_text() != "keep"
+    assert path.stat().st_ino != sibling.stat().st_ino
+
+
+def test_generate_wallet_cleans_up_temp_file_after_replace_failure(tmp_path, monkeypatch, capsys):
+    path = tmp_path / "wallet.json"
+    monkeypatch.setattr(wallet.os, "replace", MagicMock(side_effect=OSError("refused")))
+
+    assert wallet.generate_wallet(str(path)) is None
+
+    assert list(tmp_path.iterdir()) == []
+    assert "Failed to save" in capsys.readouterr().out
+
+
+def test_generate_wallet_escapes_terminal_control_bytes_in_path(tmp_path, capsys):
+    path = str(tmp_path / "before\x1b[2Jafter.json")
+
+    assert wallet.generate_wallet(path) == path
+
+    output = capsys.readouterr().out
+    assert r"before\x1b[2Jafter.json" in output
+    assert "\x1b[2J" not in output
+
+
 # ── import_wallet ─────────────────────────────────────────────────────────────
 
 def test_import_wallet_hex64(tmp_path):
@@ -100,6 +208,13 @@ def test_import_wallet_json_array_saves_file(tmp_path):
     assert saved == list(bytes(kp))
 
 
+def test_import_wallet_permissions_owner_only(tmp_path):
+    kp = Keypair()
+    path = tmp_path / "imported.json"
+    wallet.import_wallet(json.dumps(list(bytes(kp))), str(path))
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+
+
 def test_import_wallet_invalid_json_array(tmp_path, capsys):
     path = str(tmp_path / "bad.json")
     result = wallet.import_wallet("[not valid json}", path)
@@ -168,6 +283,30 @@ def test_scan_nonce_accounts_returns_path_and_pubkey(tmp_path, monkeypatch):
     assert result[0]["pubkey"] == str(kp.pubkey())
 
 
+def test_scan_nonce_accounts_repairs_legacy_permissions(tmp_path, monkeypatch):
+    monkeypatch.chdir(tmp_path)
+    path = tmp_path / "nonce_test1234.json"
+    path.write_text(json.dumps(list(bytes(Keypair()))))
+    path.chmod(0o666)
+    wallet.scan_nonce_accounts()
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+
+
+def test_scan_nonce_accounts_caps_discovery_by_filename(tmp_path, monkeypatch, capsys):
+    monkeypatch.chdir(tmp_path)
+    monkeypatch.setattr(wallet, "MAX_DISCOVERED_NONCE_ACCOUNTS", 2)
+    expected = []
+    for suffix in ("a", "b", "c"):
+        kp = Keypair()
+        (tmp_path / f"nonce_{suffix}.json").write_text(json.dumps(list(bytes(kp))))
+        expected.append(str(kp.pubkey()))
+
+    result = wallet.scan_nonce_accounts()
+
+    assert [item["pubkey"] for item in result] == expected[:2]
+    assert "scanning the first filenames only" in capsys.readouterr().out
+
+
 # ── auto_load_wallet ──────────────────────────────────────────────────────────
 
 def test_auto_load_finds_wallet_json(tmp_path, monkeypatch):
@@ -181,6 +320,15 @@ def test_auto_load_finds_wallet_json(tmp_path, monkeypatch):
     assert "wallet.json" in state.active_wallet["path"]
 
 
+def test_auto_load_repairs_legacy_wallet_permissions(tmp_path, monkeypatch):
+    monkeypatch.chdir(tmp_path)
+    path = tmp_path / "wallet.json"
+    path.write_text(json.dumps(list(bytes(Keypair()))))
+    path.chmod(0o666)
+    wallet.auto_load_wallet()
+    assert stat.S_IMODE(path.stat().st_mode) == 0o600
+
+
 def test_auto_load_finds_wallet_prefix(tmp_path, monkeypatch):
     monkeypatch.chdir(tmp_path)
     kp = Keypair()
@@ -210,6 +358,18 @@ def test_auto_load_skips_corrupt_file(tmp_path, monkeypatch):
     assert state.active_wallet is None
 
 
+def test_auto_load_skips_dangling_symlink_candidate(tmp_path, monkeypatch):
+    monkeypatch.chdir(tmp_path)
+    expected = _write_keypair(tmp_path / "wallet_fallback.json")
+    (tmp_path / "wallet_newer.json").symlink_to(tmp_path / "missing.json")
+    state.active_wallet = None
+
+    wallet.auto_load_wallet()
+
+    assert state.active_wallet is not None
+    assert state.active_wallet["pubkey"] == str(expected.pubkey())
+
+
 def test_auto_load_nothing_found(tmp_path, monkeypatch):
     monkeypatch.chdir(tmp_path)
     state.active_wallet = None
@@ -217,6 +377,57 @@ def test_auto_load_nothing_found(tmp_path, monkeypatch):
     assert state.active_wallet is None
 
 
+def test_auto_load_wallet_caps_generated_candidates(tmp_path, monkeypatch, capsys):
+    monkeypatch.chdir(tmp_path)
+    monkeypatch.setattr(wallet, "MAX_AUTOLOAD_WALLET_CANDIDATES", 2)
+    load = MagicMock(side_effect=OSError("corrupt"))
+    monkeypatch.setattr(wallet, "_load_private_keypair", load)
+    for index in range(3):
+        path = tmp_path / f"wallet_{index}.json"
+        path.write_text("unused")
+        os.utime(path, (index, index))
+    state.active_wallet = None
+
+    wallet.auto_load_wallet()
+
+    assert state.active_wallet is None
+    assert load.call_count == 2
+    assert "trying the newest candidates only" in capsys.readouterr().out
+
+
+# ── offline_sign_transfer ─────────────────────────────────────────────────────
+
+def test_offline_sign_transfer_invalid_recipient(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.offline_sign_transfer(
+        str(tmp_path / "payer.json"),
+        "not-a-valid-pubkey",
+        1,
+        ZERO_HASH,
+    )
+    assert result is None
+    assert "Invalid recipient address" in capsys.readouterr().out
+
+
+def test_offline_sign_transfer_invalid_blockhash(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.offline_sign_transfer(
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        1,
+        "not-a-valid-blockhash",
+    )
+    assert result is None
+    assert "Invalid blockhash" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("lamports", [-1, 1 << 64])
+def test_offline_sign_transfer_rejects_out_of_range_lamports(capsys, lamports):
+    result = wallet.offline_sign_transfer("unused.json", str(Keypair().pubkey()), lamports, ZERO_HASH)
+    assert result is None
+    assert "Lamports must be an integer between" in capsys.readouterr().out
+
+
 # ── offline_sign_nonce_transfer ───────────────────────────────────────────────
 
 def test_offline_sign_nonce_transfer_returns_base64(tmp_path):
@@ -280,13 +491,71 @@ def test_offline_sign_nonce_transfer_zero_lamports_still_signs(tmp_path):
     assert tx is not None
 
 
+@pytest.mark.parametrize("nonce_account,to_address", [
+    ("not-a-valid-pubkey", str(Keypair().pubkey())),
+    (str(Keypair().pubkey()), "not-a-valid-pubkey"),
+])
+def test_offline_sign_nonce_transfer_invalid_address(tmp_path, capsys, nonce_account, to_address):
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.offline_sign_nonce_transfer(
+        str(tmp_path / "payer.json"),
+        nonce_account,
+        str(tmp_path / "payer.json"),
+        to_address,
+        1,
+        ZERO_HASH,
+    )
+    assert result is None
+    assert "Invalid address" in capsys.readouterr().out
+
+
+def test_offline_sign_nonce_transfer_invalid_nonce_value(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.offline_sign_nonce_transfer(
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        1,
+        "not-a-valid-blockhash",
+    )
+    assert result is None
+    assert "Invalid nonce value" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("lamports", [-1, 1 << 64])
+def test_offline_sign_nonce_transfer_rejects_out_of_range_lamports(capsys, lamports):
+    result = wallet.offline_sign_nonce_transfer(
+        "unused-payer.json",
+        str(Keypair().pubkey()),
+        "unused-auth.json",
+        str(Keypair().pubkey()),
+        lamports,
+        ZERO_HASH,
+    )
+    assert result is None
+    assert "Lamports must be an integer between" in capsys.readouterr().out
+
+
 # ── partial_sign_execute_payment ──────────────────────────────────────────────
 
-def test_partial_sign_execute_payment_returns_base64(tmp_path):
+@patch("wallet._account_exists", return_value=True)
+@patch("arcium_client._run_shim")
+@patch("arcium_client.rescue_encrypt")
+def test_partial_sign_execute_payment_returns_base64(
+    mock_encrypt, mock_shim, _mock_exists, tmp_path, monkeypatch,
+):
     payer   = _write_keypair(tmp_path / "payer.json")
     beacon  = Keypair()
     to      = Keypair()
     nonce   = Keypair()
+    mint    = Keypair()
+    mock_encrypt.return_value = {
+        "ciphertexts": [[0] * 32],
+        "pubkey_hex": "00" * 32,
+        "nonce_bn": "0",
+    }
+    mock_shim.return_value = _arcium_accounts()
 
     tx = wallet.partial_sign_execute_payment(
         str(tmp_path / "payer.json"),
@@ -294,11 +563,15 @@ def test_partial_sign_execute_payment_returns_base64(tmp_path):
         str(nonce.pubkey()),
         str(to.pubkey()),
         500_000,
-        ZERO_HASH,
+        MXE_PUBKEY_HEX,
+        str(mint.pubkey()),
+        nonce_value=ZERO_HASH,
     )
     assert tx is not None
     decoded = base64.b64decode(tx)
     assert len(decoded) > 0
+    monkeypatch.setattr(beacon_module, "beacon_cosign_keypair", beacon)
+    assert beacon_module._validate_cosign_transaction(Transaction.from_bytes(decoded)) is None
 
 
 def test_partial_sign_execute_payment_missing_keypair(tmp_path, capsys):
@@ -308,7 +581,8 @@ def test_partial_sign_execute_payment_missing_keypair(tmp_path, capsys):
         str(Keypair().pubkey()),
         str(Keypair().pubkey()),
         1_000,
-        ZERO_HASH,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
     )
     assert result is None
     assert "Failed to load" in capsys.readouterr().out
@@ -322,32 +596,303 @@ def test_partial_sign_execute_payment_invalid_address(tmp_path, capsys):
         "also-invalid",
         "still-invalid",
         1_000,
-        ZERO_HASH,
+        MXE_PUBKEY_HEX,
+        "invalid-mint",
+    )
+    assert result is None
+    assert "Invalid address" in capsys.readouterr().out
+
+
+def test_partial_sign_execute_payment_invalid_broadcaster_token_account(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.partial_sign_execute_payment(
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        1_000,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
+        broadcaster_token_account_str="not-a-valid-pubkey",
     )
     assert result is None
     assert "Invalid address" in capsys.readouterr().out
 
 
+@pytest.mark.parametrize("amount", [-1, 1 << 64])
+def test_partial_sign_execute_payment_rejects_out_of_range_amount(capsys, amount):
+    result = wallet.partial_sign_execute_payment(
+        "unused.json",
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        amount,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
+    )
+    assert result is None
+    assert "Amount must be an integer between" in capsys.readouterr().out
+
+
+@pytest.mark.parametrize("cluster_offset", [-1, True, 1 << 32])
+def test_partial_sign_execute_payment_rejects_out_of_range_cluster_offset(capsys, cluster_offset):
+    result = wallet.partial_sign_execute_payment(
+        "unused.json",
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        1_000,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
+        cluster_offset=cluster_offset,
+    )
+    assert result is None
+    assert "Cluster offset must be an integer between" in capsys.readouterr().out
+
+
+@patch("wallet._account_exists", return_value=True)
+@patch("arcium_client._run_shim")
+@patch("arcium_client.rescue_encrypt")
+def test_partial_sign_execute_payment_invalid_nonce_value(mock_encrypt, mock_shim, _mock_exists, tmp_path, capsys):
+    mock_encrypt.return_value = {
+        "ciphertexts": [[0] * 32],
+        "pubkey_hex": "00" * 32,
+        "nonce_bn": "0",
+    }
+    mock_shim.return_value = _arcium_accounts()
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.partial_sign_execute_payment(
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        1_000,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
+        nonce_value="not-a-valid-blockhash",
+    )
+    assert result is None
+    assert "Invalid nonce value" in capsys.readouterr().out
+
+
+@patch("arcium_client._run_shim")
+@patch("arcium_client.rescue_encrypt")
+def test_partial_sign_execute_payment_invalid_encryption_payload(mock_encrypt, mock_shim, tmp_path, capsys):
+    mock_encrypt.return_value = {}
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.partial_sign_execute_payment(
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        1_000,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
+    )
+    assert result is None
+    assert "Invalid Arcium encryption payload" in capsys.readouterr().out
+    mock_shim.assert_not_called()
+
+
+@pytest.mark.parametrize("payload", [
+    {"ciphertexts": [[0] * 31], "pubkey_hex": "00" * 32, "nonce_bn": "0"},
+    {"ciphertexts": [[0] * 32], "pubkey_hex": "00" * 31, "nonce_bn": "0"},
+    {"ciphertexts": [[0] * 32], "pubkey_hex": "00" * 32, "nonce_bn": True},
+    {"ciphertexts": [[0] * 32], "pubkey_hex": "00" * 32, "nonce_bn": "-1"},
+    {"ciphertexts": [[0] * 32], "pubkey_hex": "00" * 32, "nonce_bn": "9" * 100_000},
+    {"ciphertexts": [[0] * 32], "pubkey_hex": "00" * 32, "nonce_bn": "١"},
+])
+@patch("arcium_client._run_shim")
+@patch("arcium_client.rescue_encrypt")
+def test_partial_sign_execute_payment_rejects_malformed_encryption_fields(
+    mock_encrypt, mock_shim, tmp_path, capsys, payload,
+):
+    mock_encrypt.return_value = payload
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.partial_sign_execute_payment(
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        1_000,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
+    )
+    assert result is None
+    assert "Invalid Arcium encryption payload" in capsys.readouterr().out
+    mock_shim.assert_not_called()
+
+
+@patch("arcium_client._run_shim")
+@patch("arcium_client.rescue_encrypt")
+def test_partial_sign_execute_payment_invalid_account_metadata(mock_encrypt, mock_shim, tmp_path, capsys):
+    mock_encrypt.return_value = {
+        "ciphertexts": [[0] * 32],
+        "pubkey_hex": "00" * 32,
+        "nonce_bn": "0",
+    }
+    mock_shim.return_value = {"mxeAccount": "not-a-valid-pubkey"}
+    _write_keypair(tmp_path / "payer.json")
+    result = wallet.partial_sign_execute_payment(
+        str(tmp_path / "payer.json"),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        str(Keypair().pubkey()),
+        1_000,
+        MXE_PUBKEY_HEX,
+        str(Keypair().pubkey()),
+    )
+    assert result is None
+    assert "Invalid Arcium account metadata" in capsys.readouterr().out
+
+
 # ── create_nonce_account (instruction build) ──────────────────────────────────
 
-def test_create_nonce_account_authority_param_name(tmp_path, monkeypatch):
+def test_create_nonce_account_authority_param_name(tmp_path):
     """
     Regression: InitializeNonceAccountParams uses 'authority', not 'authorized_pubkey'.
     Mock out RPC calls and verify the instruction builds without ValueError.
     """
-    from unittest.mock import patch, MagicMock
     _write_keypair(tmp_path / "payer.json")
+    _write_keypair(tmp_path / "nonce.json")
 
-    mock_rpc = MagicMock()
-    mock_rpc.return_value = {"result": 1_447_680}          # rent
     mock_blockhash = MagicMock(return_value="4vJ9JU1bJJE96FWSJKvHsmmFADCg4gpZQff4P3bkLKi")
-    mock_send = MagicMock(return_value={"result": "SIG"})
 
-    with patch("wallet.rpc_call", mock_rpc), \
-         patch("wallet.get_recent_blockhash", mock_blockhash), \
-         patch("wallet.rpc_call", mock_send):
+    with patch("rpc.rpc_call", side_effect=[{"result": 1_447_680}, {"result": "SIG"}]), \
+         patch("rpc.get_recent_blockhash", mock_blockhash):
         # The call must not raise ValueError: Missing required key: authority
         try:
-            wallet.create_nonce_account(str(tmp_path / "payer.json"), None, None)
+            result = wallet.create_nonce_account(
+                str(tmp_path / "payer.json"),
+                str(tmp_path / "nonce.json"),
+                None,
+            )
         except ValueError as e:
             pytest.fail(f"InitializeNonceAccountParams raised ValueError: {e}")
+    assert result is not None
+
+
+def test_create_nonce_account_generated_key_permissions(tmp_path, monkeypatch):
+    _write_keypair(tmp_path / "payer.json")
+    monkeypatch.chdir(tmp_path)
+    mock_blockhash = MagicMock(return_value="4vJ9JU1bJJE96FWSJKvHsmmFADCg4gpZQff4P3bkLKi")
+
+    with patch("rpc.rpc_call", side_effect=[{"result": 1_447_680}, {"result": "SIG"}]), \
+         patch("rpc.get_recent_blockhash", mock_blockhash):
+        result = wallet.create_nonce_account(str(tmp_path / "payer.json"))
+
+    assert result is not None
+    nonce_paths = list(tmp_path.glob("nonce_*.json"))
+    assert len(nonce_paths) == 1
+    assert stat.S_IMODE(nonce_paths[0].stat().st_mode) == 0o600
+
+
+def test_create_nonce_account_removes_generated_key_after_presubmit_failure(tmp_path, monkeypatch):
+    _write_keypair(tmp_path / "payer.json")
+    monkeypatch.chdir(tmp_path)
+
+    with patch("rpc.rpc_call", return_value=None):
+        result = wallet.create_nonce_account(str(tmp_path / "payer.json"))
+
+    assert result is None
+    assert list(tmp_path.glob("nonce_*.json")) == []
+
+
+def test_create_nonce_account_preserves_generated_key_after_uncertain_submission(tmp_path, monkeypatch):
+    _write_keypair(tmp_path / "payer.json")
+    monkeypatch.chdir(tmp_path)
+    blockhash = "4vJ9JU1bJJE96FWSJKvHsmmFADCg4gpZQff4P3bkLKi"
+
+    with patch("rpc.rpc_call", side_effect=[{"result": 1_447_680}, None]), \
+         patch("rpc.get_recent_blockhash", return_value=blockhash):
+        result = wallet.create_nonce_account(str(tmp_path / "payer.json"))
+
+    assert result is None
+    assert len(list(tmp_path.glob("nonce_*.json"))) == 1
+
+
+def test_create_nonce_account_generated_key_write_failure(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+
+    with patch("wallet._save_private_keypair", side_effect=OSError("refused")):
+        result = wallet.create_nonce_account(str(tmp_path / "payer.json"))
+
+    assert result is None
+    assert "Failed to save nonce keypair: refused" in capsys.readouterr().out
+
+
+def test_create_nonce_account_invalid_authority(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    _write_keypair(tmp_path / "nonce.json")
+    result = wallet.create_nonce_account(
+        str(tmp_path / "payer.json"),
+        str(tmp_path / "nonce.json"),
+        "not-a-valid-pubkey",
+    )
+    assert result is None
+    assert "Invalid authority address" in capsys.readouterr().out
+
+
+def test_create_nonce_account_invalid_blockhash(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    _write_keypair(tmp_path / "nonce.json")
+
+    with patch("rpc.rpc_call", return_value={"result": 1_447_680}), \
+         patch("rpc.get_recent_blockhash", return_value="not-a-valid-blockhash"):
+        result = wallet.create_nonce_account(
+            str(tmp_path / "payer.json"),
+            str(tmp_path / "nonce.json"),
+            None,
+        )
+
+    assert result is None
+    assert "Invalid blockhash" in capsys.readouterr().out
+
+
+def test_create_nonce_account_scalar_send_error(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    _write_keypair(tmp_path / "nonce.json")
+    blockhash = "4vJ9JU1bJJE96FWSJKvHsmmFADCg4gpZQff4P3bkLKi"
+
+    with patch("rpc.rpc_call", side_effect=[{"result": 1_447_680}, {"error": "busy"}]), \
+         patch("rpc.get_recent_blockhash", return_value=blockhash):
+        result = wallet.create_nonce_account(
+            str(tmp_path / "payer.json"),
+            str(tmp_path / "nonce.json"),
+            None,
+        )
+
+    assert result is None
+    assert "busy" in capsys.readouterr().out
+
+
+def test_create_nonce_account_rejects_boolean_rent(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    _write_keypair(tmp_path / "nonce.json")
+
+    with patch("rpc.rpc_call", return_value={"result": True}):
+        result = wallet.create_nonce_account(
+            str(tmp_path / "payer.json"),
+            str(tmp_path / "nonce.json"),
+            None,
+        )
+
+    assert result is None
+    assert "Unexpected getMinimumBalanceForRentExemption response" in capsys.readouterr().out
+
+
+def test_create_nonce_account_rejects_missing_signature(tmp_path, capsys):
+    _write_keypair(tmp_path / "payer.json")
+    _write_keypair(tmp_path / "nonce.json")
+    blockhash = "4vJ9JU1bJJE96FWSJKvHsmmFADCg4gpZQff4P3bkLKi"
+
+    with patch("rpc.rpc_call", side_effect=[{"result": 1_447_680}, {"result": None}]), \
+         patch("rpc.get_recent_blockhash", return_value=blockhash):
+        result = wallet.create_nonce_account(
+            str(tmp_path / "payer.json"),
+            str(tmp_path / "nonce.json"),
+            None,
+        )
+
+    assert result is None
+    assert "Unexpected sendTransaction response" in capsys.readouterr().out
diff --git a/wallet.py b/wallet.py
index eb949a2..97e1831 100644
--- a/wallet.py
+++ b/wallet.py
@@ -10,12 +10,15 @@
 import json
 import base64
 import hashlib
+import heapq
 import secrets as _secrets
+import stat
+import tempfile
 from pathlib import Path
 
 import state
 from shared import (
-    log_info, log_ok, log_warn, log_err,
+    log_info, log_ok, log_warn, log_err, rpc_error_message, terminal_safe_text,
     BOLD, GREEN, YELLOW, RED, RESET, DIM,
 )
 
@@ -39,6 +42,86 @@
 # Fixed size of a nonce account on Solana (defined by the runtime)
 NONCE_ACCOUNT_LENGTH = 80
 _ERR_NONCE = "Could not fetch nonce account"
+_MAX_U32 = (1 << 32) - 1
+_MAX_U64 = (1 << 64) - 1
+MAX_DISCOVERED_NONCE_ACCOUNTS = 100
+MAX_AUTOLOAD_WALLET_CANDIDATES = 100
+
+
+def _validate_u64(value: int, label: str) -> bool:
+    """Return whether a value can be encoded as an unsigned Solana u64."""
+    if isinstance(value, bool) or not isinstance(value, int) or not 0 <= value <= _MAX_U64:
+        log_err(f"{label} must be an integer between 0 and {_MAX_U64}")
+        return False
+    return True
+
+
+def _save_private_keypair(path: str, keypair: "Keypair") -> None:
+    """Atomically write a Solana keypair with owner-only permissions."""
+    try:
+        destination_mode = os.lstat(path).st_mode
+    except FileNotFoundError:
+        pass
+    else:
+        if stat.S_ISLNK(destination_mode):
+            raise OSError(f"Refusing symlinked keypair path: {path}")
+        if not stat.S_ISREG(destination_mode):
+            raise OSError(f"Refusing non-regular keypair path: {path}")
+
+    directory = os.path.dirname(path) or "."
+    prefix = f".{os.path.basename(path)}."
+    previous_umask = os.umask(0o077)
+    fd = -1
+    temp_path = ""
+    try:
+        fd, temp_path = tempfile.mkstemp(prefix=prefix, dir=directory)
+        if not stat.S_ISREG(os.fstat(fd).st_mode):
+            raise OSError(f"Refusing non-regular keypair temp path: {temp_path}")
+        os.fchmod(fd, 0o600)
+        file_obj = os.fdopen(fd, "w")
+        fd = -1
+        with file_obj as f:
+            json.dump(list(bytes(keypair)), f)
+        os.replace(temp_path, path)
+        temp_path = ""
+    finally:
+        if fd != -1:
+            os.close(fd)
+        if temp_path:
+            try:
+                os.unlink(temp_path)
+            except FileNotFoundError:
+                pass
+        os.umask(previous_umask)
+
+
+def _restrict_private_keypair_permissions(fd: int, path: str | Path) -> None:
+    """Repair legacy local keypair files created with permissive modes."""
+    try:
+        if stat.S_IMODE(os.fstat(fd).st_mode) != 0o600:
+            os.fchmod(fd, 0o600)
+            log_warn(f"Restricted keypair permissions to 0600: {path}")
+    except OSError as exc:
+        log_warn(f"Could not restrict keypair permissions for {path}: {exc}")
+
+
+def _load_private_keypair(path: str | Path) -> "Keypair":
+    """Load a regular local keypair without following a final symlink."""
+    if os.path.islink(path):
+        raise OSError(f"Refusing symlinked keypair path: {path}")
+    flags = os.O_RDONLY | getattr(os, "O_NOFOLLOW", 0) | getattr(os, "O_NONBLOCK", 0)
+    fd = os.open(path, flags)
+    try:
+        if not stat.S_ISREG(os.fstat(fd).st_mode):
+            raise OSError(f"Refusing non-regular keypair path: {path}")
+        _restrict_private_keypair_permissions(fd, path)
+        file_obj = os.fdopen(fd)
+        fd = -1
+        with file_obj as f:
+            return Keypair.from_bytes(bytes(json.load(f)))
+    finally:
+        if fd != -1:
+            os.close(fd)
 
 
 # ═══════════════════════════════════════════════════════════════════════════════
@@ -63,16 +146,29 @@ def auto_load_wallet() -> None:
     if exact.exists():
         candidates.append(exact)
 
-    candidates += sorted(
-        Path(".").glob("wallet_*.json"),
-        key=lambda p: p.stat().st_mtime,
-        reverse=True,
+    def generated_candidates():
+        for path in Path(".").glob("wallet_*.json"):
+            try:
+                yield path.lstat().st_mtime, path
+            except OSError:
+                continue
+
+    generated = heapq.nlargest(
+        MAX_AUTOLOAD_WALLET_CANDIDATES + 1,
+        generated_candidates(),
+        key=lambda item: item[0],
     )
+    if len(generated) > MAX_AUTOLOAD_WALLET_CANDIDATES:
+        log_warn(
+            f"Found more than {MAX_AUTOLOAD_WALLET_CANDIDATES} generated wallet files; "
+            "trying the newest candidates only"
+        )
+        generated = generated[:MAX_AUTOLOAD_WALLET_CANDIDATES]
+    candidates += [path for _, path in generated]
 
     for path in candidates:
         try:
-            with open(path) as f:
-                kp = Keypair.from_bytes(bytes(json.load(f)))
+            kp = _load_private_keypair(path)
             pubkey = str(kp.pubkey())
             state.active_wallet = {"pubkey": pubkey, "path": str(path)}
             log_ok(f"Wallet loaded: {pubkey}  ({path})")
@@ -99,18 +195,18 @@ def generate_wallet(save_path: str | None = None) -> str | None:
     path   = save_path or f"wallet_{pubkey[:8]}.json"
 
     try:
-        with open(path, "w") as f:
-            json.dump(list(bytes(kp)), f)
+        _save_private_keypair(path, kp)
     except OSError as exc:
         log_err(f"Failed to save keypair: {exc}")
         return None
 
     state.active_wallet = {"pubkey": pubkey, "path": path}
 
+    safe_path = terminal_safe_text(path)
     print(f"\n  {GREEN}{BOLD}New wallet generated{RESET}")
     print(f"  Public key:  {BOLD}{pubkey}{RESET}")
-    print(f"  Saved to:    {path}")
-    print(f"\n  {YELLOW}{BOLD}IMPORTANT:{RESET} Back up {path!r} — it contains your private key.")
+    print(f"  Saved to:    {safe_path}")
+    print(f"\n  {YELLOW}{BOLD}IMPORTANT:{RESET} Back up {safe_path!r} — it contains your private key.")
     print(f"  {DIM}Anyone with this file can spend funds from this wallet.{RESET}\n")
     return path
 
@@ -164,8 +260,7 @@ def import_wallet(raw: str, save_path: str) -> str | None:
             return None
 
     try:
-        with open(save_path, "w") as f:
-            json.dump(list(bytes(kp)), f)
+        _save_private_keypair(save_path, kp)
     except OSError as exc:
         log_err(f"Failed to save keypair: {exc}")
         return None
@@ -173,10 +268,11 @@ def import_wallet(raw: str, save_path: str) -> str | None:
     pubkey = str(kp.pubkey())
     state.active_wallet = {"pubkey": pubkey, "path": save_path}
 
+    safe_path = terminal_safe_text(save_path)
     print(f"\n  {GREEN}{BOLD}Wallet imported{RESET}")
     print(f"  Public key:  {BOLD}{pubkey}{RESET}")
-    print(f"  Saved to:    {save_path}")
-    print(f"\n  {YELLOW}{BOLD}IMPORTANT:{RESET} Back up {save_path!r} — it contains your private key.\n")
+    print(f"  Saved to:    {safe_path}")
+    print(f"\n  {YELLOW}{BOLD}IMPORTANT:{RESET} Back up {safe_path!r} — it contains your private key.\n")
     return pubkey
 
 
@@ -191,11 +287,20 @@ def scan_nonce_accounts() -> list[dict]:
     """
     if not HAS_SOLDERS:
         return []
+    paths = heapq.nsmallest(
+        MAX_DISCOVERED_NONCE_ACCOUNTS + 1,
+        Path(".").glob("nonce_*.json"),
+    )
+    if len(paths) > MAX_DISCOVERED_NONCE_ACCOUNTS:
+        log_warn(
+            f"Found more than {MAX_DISCOVERED_NONCE_ACCOUNTS} nonce keypair files; "
+            "scanning the first filenames only"
+        )
+        paths = paths[:MAX_DISCOVERED_NONCE_ACCOUNTS]
     result = []
-    for path in sorted(Path(".").glob("nonce_*.json")):
+    for path in paths:
         try:
-            with open(path) as f:
-                kp = Keypair.from_bytes(bytes(json.load(f)))
+            kp = _load_private_keypair(path)
             result.append({"path": str(path), "pubkey": str(kp.pubkey())})
         except Exception:
             continue
@@ -210,15 +315,20 @@ def offline_sign_transfer(keypair_json_path, to_address, lamports, blockhash=Non
     if not HAS_SOLDERS:
         log_err("Offline signing requires: pip install solders")
         return None
+    if not _validate_u64(lamports, "Lamports"):
+        return None
     try:
-        with open(keypair_json_path) as f:
-            keypair = Keypair.from_bytes(bytes(json.load(f)))
+        keypair = _load_private_keypair(keypair_json_path)
     except Exception as exc:
         log_err(f"Failed to load keypair: {exc}")
         return None
 
     from_pubkey = keypair.pubkey()
-    to_pubkey   = Pubkey.from_string(to_address)
+    try:
+        to_pubkey = Pubkey.from_string(to_address)
+    except ValueError as exc:
+        log_err(f"Invalid recipient address: {exc}")
+        return None
     log_info(f"Signing  from={from_pubkey}  to={to_pubkey}  lamports={lamports}")
 
     if blockhash is None:
@@ -228,10 +338,16 @@ def offline_sign_transfer(keypair_json_path, to_address, lamports, blockhash=Non
             log_err("Could not obtain blockhash")
             return None
 
+    try:
+        blockhash_value = Hash.from_string(blockhash)
+    except Exception as exc:
+        log_err(f"Invalid blockhash: {exc}")
+        return None
+
     ix  = transfer(TransferParams(from_pubkey=from_pubkey, to_pubkey=to_pubkey, lamports=lamports))
-    msg = Message.new_with_blockhash([ix], from_pubkey, Hash.from_string(blockhash))
+    msg = Message.new_with_blockhash([ix], from_pubkey, blockhash_value)
     tx  = Transaction.new_unsigned(msg)
-    tx.sign([keypair], Hash.from_string(blockhash))
+    tx.sign([keypair], blockhash_value)
     tx_b64 = base64.b64encode(bytes(tx)).decode("utf-8")
     log_ok(f"Transaction signed offline ({len(tx_b64)} chars)")
     print(f"\n  Signed TX: {BOLD}{tx_b64[:72]}...{RESET}\n")
@@ -323,6 +439,11 @@ def partial_sign_execute_payment(
     if not HAS_SOLDERS:
         log_err("Requires: pip install solders")
         return None
+    if not _validate_u64(amount, "Amount"):
+        return None
+    if isinstance(cluster_offset, bool) or not isinstance(cluster_offset, int) or not 0 <= cluster_offset <= _MAX_U32:
+        log_err(f"Cluster offset must be an integer between 0 and {_MAX_U32}")
+        return None
 
     try:
         from arcium_client import rescue_encrypt, _run_shim
@@ -331,20 +452,25 @@ def partial_sign_execute_payment(
         return None
 
     try:
-        with open(payer_keypair_path) as f:
-            payer = Keypair.from_bytes(bytes(json.load(f)))
+        payer = _load_private_keypair(payer_keypair_path)
     except Exception as exc:
         log_err(f"Failed to load keypair: {exc}")
         return None
 
-    payer_pubkey  = payer.pubkey()
-    beacon_pubkey = Pubkey.from_string(beacon_pubkey_str)
-    nonce_pubkey  = Pubkey.from_string(nonce_account_str)
-    prog_pubkey   = Pubkey.from_string(program_id_str)
-    mint_pubkey   = Pubkey.from_string(mint_str)
-    recipient_pk  = Pubkey.from_string(recipient_str)
-    # Treasury defaults to beacon/operator if not explicitly provided
-    treasury_pk   = Pubkey.from_string(treasury_str) if treasury_str else beacon_pubkey
+    payer_pubkey = payer.pubkey()
+    try:
+        beacon_pubkey = Pubkey.from_string(beacon_pubkey_str)
+        nonce_pubkey  = Pubkey.from_string(nonce_account_str)
+        prog_pubkey   = Pubkey.from_string(program_id_str)
+        mint_pubkey   = Pubkey.from_string(mint_str)
+        recipient_pk  = Pubkey.from_string(recipient_str)
+        # Treasury defaults to beacon/operator if not explicitly provided
+        treasury_pk = Pubkey.from_string(treasury_str) if treasury_str else beacon_pubkey
+        broadcaster_ta = (Pubkey.from_string(broadcaster_token_account_str)
+                          if broadcaster_token_account_str else None)
+    except ValueError as exc:
+        log_err(f"Invalid address: {exc}")
+        return None
 
     # Random u64 computation offset — uniquely identifies this Arcium computation
     comp_offset = int.from_bytes(_secrets.token_bytes(8), "little")
@@ -355,10 +481,38 @@ def partial_sign_execute_payment(
     except Exception as exc:
         log_err(f"Arcium encrypt failed: {exc}")
         return None
-    pub_key_hex      = enc["pubkey_hex"]
-    nonce_bn         = int(enc["nonce_bn"])
-    # Rescue ciphertext for the amount — 32-byte field element passed to Arcium
-    encrypted_amount = bytes(enc["ciphertexts"][0])
+    try:
+        pub_key_hex = enc["pubkey_hex"]
+        nonce_raw = enc["nonce_bn"]
+        if (
+            not isinstance(nonce_raw, str)
+            or not nonce_raw.isascii()
+            or not nonce_raw.isdecimal()
+            or len(nonce_raw) > 39
+        ):
+            raise ValueError("nonce_bn must be an unsigned decimal string")
+        nonce_bn = int(nonce_raw)
+        # Rescue ciphertext for the amount — 32-byte field element passed to Arcium
+        encrypted_amount = bytes(enc["ciphertexts"][0])
+        if len(encrypted_amount) != 32:
+            raise ValueError("encrypted amount must be 32 bytes")
+        public_key = bytes.fromhex(pub_key_hex)
+        if len(public_key) != 32:
+            raise ValueError("ephemeral public key must be 32 bytes")
+        # Instruction data layout (fixed contract):
+        # [disc 8B][comp_offset 8B LE][amount 8B LE][encrypted_amount 32B][nonce 16B LE][pub_key 32B] = 104 bytes
+        disc = hashlib.sha256(b"global:execute_payment").digest()[:8]
+        ix_data = (
+            disc
+            + comp_offset.to_bytes(8, "little")
+            + amount.to_bytes(8, "little")
+            + encrypted_amount
+            + nonce_bn.to_bytes(16, "little")
+            + public_key
+        )
+    except (KeyError, TypeError, ValueError, OverflowError) as exc:
+        log_err(f"Invalid Arcium encryption payload: {exc}")
+        return None
 
     log_info("Fetching Arcium PDAs...")
     try:
@@ -371,9 +525,7 @@ def partial_sign_execute_payment(
     payer_ta       = _get_ata(payer_pubkey,  mint_pubkey)
     recipient_ta   = _get_ata(recipient_pk,  mint_pubkey)
     treasury_ta    = _get_ata(treasury_pk,   mint_pubkey)
-    broadcaster_ta = (Pubkey.from_string(broadcaster_token_account_str)
-                      if broadcaster_token_account_str
-                      else _get_ata(beacon_pubkey, mint_pubkey))
+    broadcaster_ta = broadcaster_ta or _get_ata(beacon_pubkey, mint_pubkey)
 
     # sign_pda_account: PDA derived from seeds=[b"ArciumSignerAccount"] on this program
     sign_pda, _   = Pubkey.find_program_address([b"ArciumSignerAccount"], prog_pubkey)
@@ -381,30 +533,22 @@ def partial_sign_execute_payment(
         [b"whitelist", bytes(mint_pubkey)], prog_pubkey
     )
 
-    # Instruction data layout (fixed contract):
-    # [disc 8B][comp_offset 8B LE][amount 8B LE][encrypted_amount 32B][nonce 16B LE][pub_key 32B] = 104 bytes
-    disc      = hashlib.sha256(b"global:execute_payment").digest()[:8]
-    ix_data   = (
-        disc
-        + comp_offset.to_bytes(8,  "little")
-        + amount.to_bytes(8,       "little")
-        + encrypted_amount                      # 32-byte Rescue ciphertext of amount
-        + nonce_bn.to_bytes(16,    "little")
-        + bytes.fromhex(pub_key_hex)
-    )
-
-    TOKEN_PROG          = Pubkey.from_string(_TOKEN_PROGRAM)
-    SYSTEM_PROG         = Pubkey.from_string(_SYSTEM_PROGRAM)
-    # arcium_program is hardcoded in the IDL — use the value from there, not the shim
-    ARCIUM_PROG         = Pubkey.from_string("Arcj82pX7HxYKLR92qvgZUAd7vGS1k4hQvAFcPATFdEQ")
-    MXE_ACCOUNT         = Pubkey.from_string(accs["mxeAccount"])
-    COMP_DEF_ACCOUNT    = Pubkey.from_string(accs["compDefAccount"])
-    MEMPOOL_ACCOUNT     = Pubkey.from_string(accs["mempoolAccount"])
-    EXECUTING_POOL      = Pubkey.from_string(accs["executingPool"])
-    COMPUTATION_ACCOUNT = Pubkey.from_string(accs["computationAccount"])
-    CLUSTER_ACCOUNT     = Pubkey.from_string(accs["clusterAccount"])
-    POOL_ACCOUNT        = Pubkey.from_string(accs["poolAccount"])
-    CLOCK_ACCOUNT       = Pubkey.from_string(accs["clockAccount"])
+    try:
+        TOKEN_PROG = Pubkey.from_string(_TOKEN_PROGRAM)
+        SYSTEM_PROG = Pubkey.from_string(_SYSTEM_PROGRAM)
+        # arcium_program is hardcoded in the IDL — use the value from there, not the shim
+        ARCIUM_PROG = Pubkey.from_string("Arcj82pX7HxYKLR92qvgZUAd7vGS1k4hQvAFcPATFdEQ")
+        MXE_ACCOUNT = Pubkey.from_string(accs["mxeAccount"])
+        COMP_DEF_ACCOUNT = Pubkey.from_string(accs["compDefAccount"])
+        MEMPOOL_ACCOUNT = Pubkey.from_string(accs["mempoolAccount"])
+        EXECUTING_POOL = Pubkey.from_string(accs["executingPool"])
+        COMPUTATION_ACCOUNT = Pubkey.from_string(accs["computationAccount"])
+        CLUSTER_ACCOUNT = Pubkey.from_string(accs["clusterAccount"])
+        POOL_ACCOUNT = Pubkey.from_string(accs["poolAccount"])
+        CLOCK_ACCOUNT = Pubkey.from_string(accs["clockAccount"])
+    except (KeyError, TypeError, ValueError) as exc:
+        log_err(f"Invalid Arcium account metadata: {exc}")
+        return None
 
     setup_ixs: list[Instruction] = []
 
@@ -497,7 +641,11 @@ def _maybe_create_ata(owner: "Pubkey", ata: "Pubkey", label: str) -> None:
             return None
         nonce_value = nonce_info["nonce"]
 
-    nonce_hash = Hash.from_string(nonce_value)
+    try:
+        nonce_hash = Hash.from_string(nonce_value)
+    except Exception as exc:
+        log_err(f"Invalid nonce value: {exc}")
+        return None
     advance_ix = advance_nonce_account(AdvanceNonceAccountParams(
         nonce_pubkey=nonce_pubkey,
         authorized_pubkey=payer_pubkey,
@@ -549,16 +697,15 @@ def create_nonce_account(
         return None
 
     try:
-        with open(payer_keypair_path) as f:
-            payer = Keypair.from_bytes(bytes(json.load(f)))
+        payer = _load_private_keypair(payer_keypair_path)
     except Exception as exc:
         log_err(f"Failed to load payer keypair: {exc}")
         return None
 
+    generated_nonce_path = None
     if nonce_keypair_path:
         try:
-            with open(nonce_keypair_path) as f:
-                nonce_kp = Keypair.from_bytes(bytes(json.load(f)))
+            nonce_kp = _load_private_keypair(nonce_keypair_path)
             log_info(f"Using existing nonce keypair: {nonce_kp.pubkey()}")
         except Exception as exc:
             log_err(f"Failed to load nonce keypair: {exc}")
@@ -566,72 +713,98 @@ def create_nonce_account(
     else:
         nonce_kp  = Keypair()
         save_path = f"nonce_{str(nonce_kp.pubkey())[:8]}.json"
-        with open(save_path, "w") as f:
-            json.dump(list(bytes(nonce_kp)), f)
+        try:
+            _save_private_keypair(save_path, nonce_kp)
+        except OSError as exc:
+            log_err(f"Failed to save nonce keypair: {exc}")
+            return None
+        generated_nonce_path = save_path
         log_ok(f"Generated nonce keypair → {save_path}")
 
-    payer_pubkey     = payer.pubkey()
-    nonce_pubkey     = nonce_kp.pubkey()
-    authority_pubkey = Pubkey.from_string(authority_address) if authority_address else payer_pubkey
-
-    log_info(f"Payer:         {payer_pubkey}")
-    log_info(f"Nonce account: {nonce_pubkey}")
-    log_info(f"Authority:     {authority_pubkey}")
-
-    from rpc import rpc_call, get_recent_blockhash, _extract_result
-
-    log_info("Fetching minimum balance for rent exemption...")
-    resp = rpc_call("getMinimumBalanceForRentExemption", [NONCE_ACCOUNT_LENGTH])
-    if resp is None:
-        log_err("No response from beacon"); return None
-    if "error" in resp:
-        log_err(f"RPC error: {resp['error']}"); return None
-    rent_lamports = _extract_result(resp)
-    if not isinstance(rent_lamports, int):
-        log_err(f"Unexpected getMinimumBalanceForRentExemption response: {rent_lamports}")
-        return None
-    log_info(f"Rent-exempt minimum: {rent_lamports:,} lamports ({rent_lamports / 1e9:.9f} SOL)")
+    submitted = False
+    try:
+        payer_pubkey     = payer.pubkey()
+        nonce_pubkey     = nonce_kp.pubkey()
+        try:
+            authority_pubkey = Pubkey.from_string(authority_address) if authority_address else payer_pubkey
+        except ValueError as exc:
+            log_err(f"Invalid authority address: {exc}")
+            return None
 
-    blockhash = get_recent_blockhash()
-    if blockhash is None:
-        log_err("Could not fetch blockhash")
-        return None
+        log_info(f"Payer:         {payer_pubkey}")
+        log_info(f"Nonce account: {nonce_pubkey}")
+        log_info(f"Authority:     {authority_pubkey}")
+
+        from rpc import rpc_call, get_recent_blockhash, _extract_result
+
+        log_info("Fetching minimum balance for rent exemption...")
+        resp = rpc_call("getMinimumBalanceForRentExemption", [NONCE_ACCOUNT_LENGTH])
+        if resp is None:
+            log_err("No response from beacon"); return None
+        if "error" in resp:
+            log_err(f"RPC error: {resp['error']}"); return None
+        rent_lamports = _extract_result(resp)
+        if not _validate_u64(rent_lamports, "Rent lamports"):
+            log_err(f"Unexpected getMinimumBalanceForRentExemption response: {rent_lamports}")
+            return None
+        log_info(f"Rent-exempt minimum: {rent_lamports:,} lamports ({rent_lamports / 1e9:.9f} SOL)")
 
-    create_ix = create_account(CreateAccountParams(
-        from_pubkey=payer_pubkey,
-        to_pubkey=nonce_pubkey,
-        lamports=rent_lamports,
-        space=NONCE_ACCOUNT_LENGTH,
-        owner=Pubkey.from_string("11111111111111111111111111111111"),
-    ))
-    init_ix = initialize_nonce_account(InitializeNonceAccountParams(
-        nonce_pubkey=nonce_pubkey,
-        authority=authority_pubkey,
-    ))
+        blockhash = get_recent_blockhash()
+        if blockhash is None:
+            log_err("Could not fetch blockhash")
+            return None
 
-    bh  = Hash.from_string(blockhash)
-    msg = Message.new_with_blockhash([create_ix, init_ix], payer_pubkey, bh)
-    tx  = Transaction.new_unsigned(msg)
-    tx.sign([payer, nonce_kp], bh)
+        create_ix = create_account(CreateAccountParams(
+            from_pubkey=payer_pubkey,
+            to_pubkey=nonce_pubkey,
+            lamports=rent_lamports,
+            space=NONCE_ACCOUNT_LENGTH,
+            owner=Pubkey.from_string("11111111111111111111111111111111"),
+        ))
+        init_ix = initialize_nonce_account(InitializeNonceAccountParams(
+            nonce_pubkey=nonce_pubkey,
+            authority=authority_pubkey,
+        ))
 
-    tx_b64 = base64.b64encode(bytes(tx)).decode("utf-8")
-    resp   = rpc_call("sendTransaction", [tx_b64, {"encoding": "base64"}])
-    if resp is None:
-        log_err("No response from beacon for sendTransaction")
-        return None
-    if "error" in resp:
-        log_err(f"Transaction rejected: {resp['error'].get('message', resp['error'])}")
-        return None
+        try:
+            bh = Hash.from_string(blockhash)
+        except Exception as exc:
+            log_err(f"Invalid blockhash: {exc}")
+            return None
+        msg = Message.new_with_blockhash([create_ix, init_ix], payer_pubkey, bh)
+        tx  = Transaction.new_unsigned(msg)
+        tx.sign([payer, nonce_kp], bh)
+
+        tx_b64 = base64.b64encode(bytes(tx)).decode("utf-8")
+        submitted = True
+        resp = rpc_call("sendTransaction", [tx_b64, {"encoding": "base64"}])
+        if resp is None:
+            log_err("No response from beacon for sendTransaction")
+            return None
+        if "error" in resp:
+            log_err(f"Transaction rejected: {rpc_error_message(resp['error'])}")
+            return None
 
-    sig = resp.get("result", "?")
-    print(f"\n  {GREEN}{BOLD}Nonce account created!{RESET}")
-    print(f"  Nonce account pubkey: {BOLD}{nonce_pubkey}{RESET}")
-    print(f"  Authority:            {authority_pubkey}")
-    print(f"  Funded:               {rent_lamports:,} lamports")
-    print(f"  Signature:            {sig}")
-    print(f"\n  {DIM}Fetch the nonce value:      get-nonce {nonce_pubkey}{RESET}")
-    print(f"  {DIM}Sign with nonce:  sign-nonce-tx <payer> {nonce_pubkey} <auth> <to> <lamports>{RESET}\n")
-    return str(nonce_pubkey)
+        sig = resp.get("result")
+        if not isinstance(sig, str) or not sig:
+            log_err(f"Unexpected sendTransaction response: {resp}")
+            return None
+        print(f"\n  {GREEN}{BOLD}Nonce account created!{RESET}")
+        print(f"  Nonce account pubkey: {BOLD}{nonce_pubkey}{RESET}")
+        print(f"  Authority:            {authority_pubkey}")
+        print(f"  Funded:               {rent_lamports:,} lamports")
+        print(f"  Signature:            {terminal_safe_text(sig)}")
+        print(f"\n  {DIM}Fetch the nonce value:      get-nonce {nonce_pubkey}{RESET}")
+        print(f"  {DIM}Sign with nonce:  sign-nonce-tx <payer> {nonce_pubkey} <auth> <to> <lamports>{RESET}\n")
+        return str(nonce_pubkey)
+    finally:
+        if generated_nonce_path is not None and not submitted:
+            try:
+                os.unlink(generated_nonce_path)
+            except FileNotFoundError:
+                pass
+            except OSError as exc:
+                log_warn(f"Could not remove unused generated nonce keypair: {exc}")
 
 
 def offline_sign_nonce_transfer(
@@ -653,25 +826,29 @@ def offline_sign_nonce_transfer(
     if not HAS_SOLDERS:
         log_err("Offline signing requires: pip install solders")
         return None
+    if not _validate_u64(lamports, "Lamports"):
+        return None
 
     try:
-        with open(payer_keypair_path) as f:
-            payer = Keypair.from_bytes(bytes(json.load(f)))
+        payer = _load_private_keypair(payer_keypair_path)
     except Exception as exc:
         log_err(f"Failed to load payer keypair: {exc}")
         return None
 
     try:
-        with open(authority_keypair_path) as f:
-            authority_kp = Keypair.from_bytes(bytes(json.load(f)))
+        authority_kp = _load_private_keypair(authority_keypair_path)
     except Exception as exc:
         log_err(f"Failed to load authority keypair: {exc}")
         return None
 
     payer_pubkey     = payer.pubkey()
     authority_pubkey = authority_kp.pubkey()
-    nonce_pubkey     = Pubkey.from_string(nonce_account_str)
-    to_pubkey        = Pubkey.from_string(to_address)
+    try:
+        nonce_pubkey = Pubkey.from_string(nonce_account_str)
+        to_pubkey = Pubkey.from_string(to_address)
+    except ValueError as exc:
+        log_err(f"Invalid address: {exc}")
+        return None
 
     if nonce_value is None:
         log_info("Fetching current nonce value from chain...")
@@ -698,7 +875,11 @@ def offline_sign_nonce_transfer(
         lamports=lamports,
     ))
 
-    nonce_hash = Hash.from_string(nonce_value)
+    try:
+        nonce_hash = Hash.from_string(nonce_value)
+    except Exception as exc:
+        log_err(f"Invalid nonce value: {exc}")
+        return None
     msg = Message.new_with_blockhash([advance_ix, transfer_ix], payer_pubkey, nonce_hash)
     tx  = Transaction.new_unsigned(msg)