diff --git a/.gitignore b/.gitignore
index 2768254..1b0372b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,6 @@
 .env
 .claude/
 CLAUDE.md
+.lambda-rlm-cache/
+src/.*.md
+src/.*.log
diff --git a/Cargo.lock b/Cargo.lock
index 6e04180..e420118 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -35,6 +35,7 @@ dependencies = [
  "ctr",
  "ghash",
  "subtle",
+ "zeroize",
 ]
 
 [[package]]
@@ -46,15 +47,6 @@ dependencies = [
  "memchr",
 ]
 
-[[package]]
-name = "android_system_properties"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "819e7219dbd41043ac279b19830f2efc897156490d7fd6ea916720117ee66311"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "anstream"
 version = "0.6.21"
@@ -128,13 +120,11 @@ dependencies = [
  "anyhow",
  "axum",
  "axum-server",
- "base64",
+ "base64ct",
  "bytes",
- "chrono",
  "clap",
- "dirs",
  "ed25519-dalek",
- "hex",
+ "fs2",
  "hkdf",
  "rand 0.8.5",
  "reqwest",
@@ -143,6 +133,8 @@ dependencies = [
  "serde_json",
  "sha2",
  "thiserror",
+ "tikv-jemalloc-ctl",
+ "tikv-jemallocator",
  "tokio",
  "tower-http",
  "tracing",
@@ -321,20 +313,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
-[[package]]
-name = "chrono"
-version = "0.4.44"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c673075a2e0e5f4a1dde27ce9dee1ea4558c7ffe648f576438a20ca1d2acc4b0"
-dependencies = [
- "iana-time-zone",
- "js-sys",
- "num-traits",
- "serde",
- "wasm-bindgen",
- "windows-link",
-]
-
 [[package]]
 name = "cipher"
 version = "0.4.4"
@@ -406,12 +384,6 @@ version = "0.9.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
 
-[[package]]
-name = "core-foundation-sys"
-version = "0.8.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
-
 [[package]]
 name = "cpufeatures"
 version = "0.2.17"
@@ -489,27 +461,6 @@ dependencies = [
  "subtle",
 ]
 
-[[package]]
-name = "dirs"
-version = "6.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c3e8aa94d75141228480295a7d0e7feb620b1a5ad9f12bc40be62411e38cce4e"
-dependencies = [
- "dirs-sys",
-]
-
-[[package]]
-name = "dirs-sys"
-version = "0.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e01a3366d27ee9890022452ee61b2b63a67e6f13f58900b651ff5665f0bb1fab"
-dependencies = [
- "libc",
- "option-ext",
- "redox_users",
- "windows-sys 0.61.2",
-]
-
 [[package]]
 name = "displaydoc"
 version = "0.2.5"
@@ -629,6 +580,16 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "fs2"
+version = "0.4.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9564fc758e15025b46aa6643b1b77d047d1a56a1aea6e01002ac0c7026876213"
+dependencies = [
+ "libc",
+ "winapi",
+]
+
 [[package]]
 name = "fs_extra"
 version = "1.3.0"
@@ -770,12 +731,6 @@ version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
 
-[[package]]
-name = "hex"
-version = "0.4.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
-
 [[package]]
 name = "hkdf"
 version = "0.12.4"
@@ -902,30 +857,6 @@ dependencies = [
  "tracing",
 ]
 
-[[package]]
-name = "iana-time-zone"
-version = "0.1.65"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e31bc9ad994ba00e440a8aa5c9ef0ec67d5cb5e5cb0cc7f8b744a35b389cc470"
-dependencies = [
- "android_system_properties",
- "core-foundation-sys",
- "iana-time-zone-haiku",
- "js-sys",
- "log",
- "wasm-bindgen",
- "windows-core",
-]
-
-[[package]]
-name = "iana-time-zone-haiku"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f31827a206f56af32e590ba56d5d2d085f558508192593743f16b2306495269f"
-dependencies = [
- "cc",
-]
-
 [[package]]
 name = "icu_collections"
 version = "2.1.1"
@@ -1107,15 +1038,6 @@ version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
 
-[[package]]
-name = "libredox"
-version = "0.1.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1744e39d1d6a9948f4f388969627434e31128196de472883b39f148769bfe30a"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "libsqlite3-sys"
 version = "0.32.0"
@@ -1192,15 +1114,6 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
-[[package]]
-name = "num-traits"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-dependencies = [
- "autocfg",
-]
-
 [[package]]
 name = "once_cell"
 version = "1.21.3"
@@ -1220,10 +1133,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
 
 [[package]]
-name = "option-ext"
-version = "0.2.0"
+name = "paste"
+version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04744f49eae99ab78e0d5c0b603ab218f515ea8cfe5a456d7629ad883a3b6e7d"
+checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
 
 [[package]]
 name = "percent-encoding"
@@ -1427,17 +1340,6 @@ dependencies = [
  "getrandom 0.3.4",
 ]
 
-[[package]]
-name = "redox_users"
-version = "0.5.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4e608c6638b9c18977b00b475ac1f28d14e84b27d8d42f70e0bf1e3dec127ac"
-dependencies = [
- "getrandom 0.2.17",
- "libredox",
- "thiserror",
-]
-
 [[package]]
 name = "regex-automata"
 version = "0.4.14"
@@ -1812,6 +1714,37 @@ dependencies = [
  "cfg-if",
 ]
 
+[[package]]
+name = "tikv-jemalloc-ctl"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "661f1f6a57b3a36dc9174a2c10f19513b4866816e13425d3e418b11cc37bc24c"
+dependencies = [
+ "libc",
+ "paste",
+ "tikv-jemalloc-sys",
+]
+
+[[package]]
+name = "tikv-jemalloc-sys"
+version = "0.6.1+5.3.0-1-ge13ca993e8ccb9ba9847cc330696e02839f328f7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cd8aa5b2ab86a2cefa406d889139c162cbb230092f7d1d7cbc1716405d852a3b"
+dependencies = [
+ "cc",
+ "libc",
+]
+
+[[package]]
+name = "tikv-jemallocator"
+version = "0.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0359b4327f954e0567e69fb191cf1436617748813819c94b8cd4a431422d053a"
+dependencies = [
+ "libc",
+ "tikv-jemalloc-sys",
+]
+
 [[package]]
 name = "tinystr"
 version = "0.8.2"
@@ -2184,39 +2117,26 @@ dependencies = [
 ]
 
 [[package]]
-name = "windows-core"
-version = "0.62.2"
+name = "winapi"
+version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8e83a14d34d0623b51dce9581199302a221863196a1dde71a7663a4c2be9deb"
+checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
 dependencies = [
- "windows-implement",
- "windows-interface",
- "windows-link",
- "windows-result",
- "windows-strings",
+ "winapi-i686-pc-windows-gnu",
+ "winapi-x86_64-pc-windows-gnu",
 ]
 
 [[package]]
-name = "windows-implement"
-version = "0.60.2"
+name = "winapi-i686-pc-windows-gnu"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "053e2e040ab57b9dc951b72c264860db7eb3b0200ba345b4e4c3b14f67855ddf"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
+checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
 
 [[package]]
-name = "windows-interface"
-version = "0.59.3"
+name = "winapi-x86_64-pc-windows-gnu"
+version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3f316c4a2570ba26bbec722032c4099d8c8bc095efccdc15688708623367e358"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
+checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
 [[package]]
 name = "windows-link"
@@ -2224,24 +2144,6 @@ version = "0.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
 
-[[package]]
-name = "windows-result"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7781fa89eaf60850ac3d2da7af8e5242a5ea78d1a11c49bf2910bb5a73853eb5"
-dependencies = [
- "windows-link",
-]
-
-[[package]]
-name = "windows-strings"
-version = "0.5.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7837d08f69c77cf6b07689544538e017c1bfcf57e34b4c0ff58e6c2cd3b37091"
-dependencies = [
- "windows-link",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.52.0"
diff --git a/Cargo.toml b/Cargo.toml
index a2b1c38..f9a01af 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -10,6 +10,10 @@ repository = "https://github.com/ploton/atomic"
 name = "atomic"
 path = "src/main.rs"
 
+[features]
+default = ["jemalloc"]
+jemalloc = ["dep:tikv-jemallocator", "dep:tikv-jemalloc-ctl"]
+
 [dependencies]
 # CLI
 clap = { version = "4", features = ["derive"] }
@@ -30,7 +34,7 @@ serde_json = "1"
 ed25519-dalek = { version = "2", features = ["rand_core"] }
 
 # Crypto - AES-256-GCM
-aes-gcm = "0.10"
+aes-gcm = { version = "0.10", features = ["zeroize"] }
 
 # Key derivation
 hkdf = "0.12"
@@ -38,15 +42,11 @@ sha2 = "0.10"
 
 # Random + encoding
 rand = "0.8"
-base64 = "0.22"
-hex = "0.4"
+base64ct = { version = "1", features = ["alloc"] }
 
 # HTTP client (for verify command)
 reqwest = { version = "0.12", features = ["json", "rustls-tls"], default-features = false }
 
-# Time
-chrono = { version = "0.4", features = ["serde"] }
-
 # Logging
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
@@ -60,8 +60,10 @@ rusqlite = { version = "0.34", features = ["bundled"] }
 
 # Misc
 bytes = "1"
-dirs = "6"
 zeroize = { version = "1.8.2", features = ["derive"] }
+fs2 = "0.4"
+tikv-jemallocator = { version = "0.6", optional = true }
+tikv-jemalloc-ctl = { version = "0.6", optional = true }
 
 [profile.release]
 opt-level = 3
diff --git a/README.md b/README.md
index eb451d3..1166556 100644
--- a/README.md
+++ b/README.md
@@ -78,20 +78,6 @@ $ atomic deposits
 $ atomic deposits --label stripe_key
 ```
 
-## Magic links
-
-Domain verification, like DNS TXT records but over HTTP. A service gives the agent a code, the agent hosts it, the service checks.
-
-```bash
-$ atomic magic-link host VERIFY_ABC123 --expires 5m
-https://fin.acme.com/m/VERIFY_ABC123
-
-$ curl https://fin.acme.com/m/VERIFY_ABC123
-{"status":"verified","code":"VERIFY_ABC123"}
-```
-
-One-time use, gone after the first GET, expires in minutes.
-
 ## Request signing
 
 ```bash
@@ -118,7 +104,7 @@ Agents don't need that. An agent with a keypair can prove itself on every reques
 |                  | Human (JWT)                          | Agent (Atomic)                              |
 |------------------|--------------------------------------|---------------------------------------------|
 | **Identity**     | email + password                     | domain (`fin.acme.com`)                     |
-| **Signup**       | create account, get credentials      | sign request + magic link for domain proof  |
+| **Signup**       | create account, get credentials      | sign request, service verifies agent.json   |
 | **Proof**        | service issues a JWT                 | agent signs every request with private key  |
 | **Each request** | send JWT, service checks it          | send signature, service checks agent.json   |
 | **Expiry**       | token expires, agent re-auths        | no token -- signatures are stateless        |
@@ -128,7 +114,7 @@ Agents don't need that. An agent with a keypair can prove itself on every reques
 
 The practical difference: the agent has nothing to manage. No token storage, no refresh logic. The private key stays on the box and never gets sent over the wire.
 
-A service that wants extra assurance can layer a magic link challenge on top of the signature check at signup -- verify the sig, then confirm domain control, then create an internal account for `fin.acme.com`. After that, subsequent requests are just signature checks against a cached public key.
+A service that wants extra assurance can verify domain control via DNS TXT records on top of the signature check at signup. After that, subsequent requests are just signature checks against a cached public key.
 
 Performance-wise, JWT verification is a single HMAC check while Ed25519 verify costs more. But "more" here means microseconds, and the public key only changes on rotation so it caches well. It's not where your latency lives.
 
@@ -146,9 +132,6 @@ atomic verify <domain>                             Check another agent
 atomic deposit-url --label <name> --expires <t>    Create deposit URL
 atomic deposits [--label <name>]                   Deposit audit log
 
-atomic magic-link host <code> --expires <t>        Host a verification code
-atomic magic-link list                             Show active codes
-
 atomic vault set <label> <value>                   Store a secret
 atomic vault get <label>                           Read a secret
 atomic vault list                                  List labels
@@ -179,7 +162,7 @@ HSTS is set when TLS is active.
 
 Private key stored at 600 permissions, never leaves the box. Vault uses AES-256-GCM with a key derived from the private key via HKDF -- separate from the signing key.
 
-Deposit tokens are Ed25519-signed with a nonce and a 24h max TTL. Every failure returns 404 regardless of the reason, so you can't probe for valid tokens. Body size is capped at 1MB.
+Deposit tokens are Ed25519-signed with a nonce and a 24h max TTL. Every failure returns 404 regardless of the reason, so you can't probe for valid tokens. Body size is capped at 64KB.
 
 All responses get `nosniff`, `no-store`, and `no-referrer` headers. HSTS (2-year max-age) when TLS is on. SQL is parameterized everywhere (SQLite in WAL mode).
 
@@ -189,7 +172,7 @@ All responses get `nosniff`, `no-store`, and `no-referrer` headers. HSTS (2-year
 ~/.atomic/
   credentials       domain + keypair (600 perms)
   agent.json        public identity document
-  atomic.db         SQLite (vault, deposits, magic links)
+  atomic.db         SQLite (vault, deposits)
   atomic.pid        server PID
   atomic.log        server logs
   tls/              certificates
@@ -201,18 +184,210 @@ All responses get `nosniff`, `no-store`, and `no-referrer` headers. HSTS (2-year
 git clone https://github.com/ploton/atomic.git
 cd atomic
 cargo build --release    # ~4MB binary
-cargo test               # 65 tests
+cargo test               # 61 tests
 ```
 
 Cross-compiles to `x86_64-linux-musl`, `aarch64-linux-musl`, `x86_64-apple-darwin`, `aarch64-apple-darwin`.
 
+## Changelog
+
+**4ff9c9b** — Remove hex+dirs crates, incremental vacuum
+- `Cargo.toml`: remove `hex` and `dirs` dependencies (−2 crates, −55 lines from Cargo.lock). Fewer transitive deps, faster compile, smaller binary.
+- `deposit.rs`: nonce generation uses `Base64UrlUnpadded::encode_string` (already imported) instead of `hex::encode`. More compact nonces (22 chars vs 32).
+- `config.rs`: temp file suffix uses `u64::from_ne_bytes` + `{:016x}` format instead of `hex::encode`. Zero-dep hex formatting.
+- `config.rs`: `atomic_dir()` uses `std::env::var("HOME")` instead of `dirs::home_dir()`. The `dirs` crate was a wrapper over `$HOME` on Unix — the only platform supported per `#[cfg(unix)]` gates.
+- `server.rs`: hourly maintenance task now runs `PRAGMA incremental_vacuum` after TTL deletes. `auto_vacuum=INCREMENTAL` was set in iter 28 but never triggered — pages freed by nonce/log cleanup were not being reclaimed.
+- Net: −61 lines / +9 lines (−52 net), −2 dependencies, 61 tests passing.
+
+**182f8ad** — Zero-alloc deposit verify, WITHOUT ROWID, auto_vacuum, remove stub commands
+- `deposit.rs`: eliminate `try_verify_signature` indirection — `verify_signature` now returns `Option` directly with zero heap allocation on failure. Removes all `anyhow` from the deposit verification hot path (no `Box<dyn Error>` per invalid request), hardening against DoS via invalid-token heap pressure. Stack buffer increased from 768→1024 bytes.
+- `db.rs`: add `PRAGMA auto_vacuum = INCREMENTAL` — reclaims space from TTL-deleted deposit nonces without full-vacuum stalls. Set before table creation so new databases get incremental auto-vacuum from the start.
+- `db.rs`: add `WITHOUT ROWID` to `used_deposits` table — eliminates the separate rowid B-tree, saving one B-tree per row since the nonce PK *is* the clustering key. Only applies to new databases (`CREATE TABLE IF NOT EXISTS` is a no-op on existing).
+- `db.rs`: remove legacy `DROP TABLE IF EXISTS magic_links` migration — table was dropped iterations ago; running the DDL every startup is unnecessary I/O.
+- `server.rs`: cleanup task now deletes expired deposits by PK (`nonce IN (SELECT nonce ...)`) instead of `rowid`, compatible with both `WITHOUT ROWID` and regular tables.
+- `cli.rs`: remove `KeyCommand` and `ServiceCommand` enums and their `Key`/`Service` command variants — dead stub code that only printed "not yet implemented". Reduces binary size and attack surface; will be re-added when PLO-58/PLO-59 are implemented.
+- `main.rs`: remove corresponding match arms and unused imports.
+- Net: −75 lines / +21 lines (−54 net), 61 tests passing.
+
+**3d768ca** — Kill magic_link module, CryptoError replaces anyhow in crypto paths, VecDeque pool, drop background tasks
+- `magic_link.rs`: deleted entirely (~175 lines). Magic link domain verification removed — DNS TXT records are sufficient for domain-as-identity. Drops `subtle` dependency, removes DB table, server route, CLI command, hourly cleanup logic.
+- `crypto/mod.rs`: new `CryptoError` enum (zero-allocation, opaque error messages) replaces `anyhow::Result` in all crypto functions. Prevents information leakage via error strings; eliminates heap allocation in crypto paths.
+- `crypto/signing.rs`: `decode_public_key`, `decode_private_key`, `decode_signature` return `Result<T, CryptoError>` instead of `anyhow::Result`.
+- `crypto/vault.rs`: `derive_vault_key`, `encrypt`, `decrypt` return `Result<T, CryptoError>`. Merged size validation into single guard (`< NONCE_SIZE || > MAX_CIPHERTEXT_SIZE`).
+- `db.rs`: `Mutex<Vec<Connection>>` → `Mutex<VecDeque<Connection>>` for O(1) push/pop. Removed 30-minute connection recycling (`CONN_MAX_LIFETIME`, `created_at` tracking, `db_path` field) — SQLite handles connection health via `busy_timeout`.
+- `db.rs`: migration now drops legacy `magic_links` table if present.
+- `server.rs`: removed manual zeroize loop (redundant with `Zeroizing<[u8; 32]>`). Removed SIGHUP TLS cert reload handler (restart on cert change is sufficient). Removed 5-minute WAL checkpoint task (wal_autocheckpoint=1000 handles this). Removed `RateLimiter` struct and all rate limiting (dead code after magic_link removal). Circuit breaker now returns uniform 404 instead of 503+retry-after (prevents internal state leakage).
+- `deposit.rs`: payload base64 decoding uses stack-allocated `[u8; 768]` buffer instead of heap `Vec` (zero heap allocation per deposit request).
+- `config.rs`: removed dead `tls_dir()` function (only used by deleted SIGHUP handler).
+- `cli.rs`: removed `MagicLink` command and `MagicLinkCommand` enum.
+- `Cargo.toml`: removed `subtle` dependency.
+- Net: −516 lines / +69 lines (−447 net), −1 dependency, 61 tests passing.
+
+**88852d8** — OnceLock AppState (kill Box::leak), flock-based stop (kill ps/kill -0 TOCTOU), DbPool shutdown flag, fail-open rate limiter, drop base64 for base64ct (constant-time), remove unsafe panic hook
+- `server.rs`: replace `Box::leak(Box::new(AppState))` with `OnceLock<AppState>` — eliminates intentional memory leak while preserving `&'static` access. State owned by static, not orphaned on heap.
+- `server.rs`: rate limiter uses `try_lock()` instead of `lock()` — fails open on contention (allows request) instead of blocking, eliminating tail latency spikes under load.
+- `main.rs`: rewrite `atomic stop` to use `flock` for process liveness detection — replaces racy `ps`/`kill -0` TOCTOU checks with kernel-enforced exclusive lock test. Eliminates PID reuse attack window.
+- `main.rs`: remove panic hook that performed file I/O (PID cleanup, temp file deletion) — file I/O in panic handlers is async-signal-unsafe (deadlock risk). Kernel releases flock automatically on process exit.
+- `db.rs`: add `AtomicBool` shutdown flag to `DbPool` — `shutdown()` wakes all `Condvar` waiters and rejects new acquisitions, preventing indefinite hangs during SIGTERM.
+- `Cargo.toml`: swap `base64` for `base64ct` — constant-time base64 encoding/decoding prevents timing side-channels during deposit token verification. Removes direct `base64` dependency.
+- Net: −89 lines added/+95 removed (net +6 for shutdown safety), −1 direct dependency (base64 → base64ct), 68 tests passing.
+
+**e61756c** — Box::leak AppState (kill Arc refcount), drop chrono (epoch_secs + Hinnant RFC3339), Box<str> vault secrets, static magic-link JSON response
+- `server.rs`: replace `Arc<AppState>` with `Box::leak` for `&'static AppState` — eliminates atomic refcount increment/decrement on every request handler clone. AppState is process-lifetime singleton, leaking is zero-cost.
+- `server.rs`: remove `MagicLinkResponse` struct — magic link JSON response is now a static string literal (`r#"{"status":"verified"}"#`), removing serde serialization from the hot path.
+- Drop `chrono` crate entirely — replace all `chrono::Utc::now().timestamp()` with `config::epoch_secs()` (single syscall, no allocation). RFC 3339 formatting uses Hinnant civil_from_days algorithm in `config::format_rfc3339()` (cold path only, ~20 lines).
+- `vault.rs`: `vault_get` returns `Zeroizing<Box<str>>` instead of `Zeroizing<String>` — 2 words (ptr, len) vs 3 (ptr, len, cap), no slack capacity means zeroize wipes exactly the used bytes.
+- Net: −91 lines, −1 dependency (chrono), 68 tests passing.
+
+**ae91eaf** — Remove notify crate, kill spawn_supervised, single-atomic circuit breaker, drop global magic link rate limit, branchless input validation, 256MB mmap
+- Remove `notify` crate: cert renewal watcher replaced with 6-hour polling + SIGHUP for immediate reload (zero extra threads for a cert that changes every 60 days)
+- Remove `spawn_supervised` restart machinery: background tasks use plain `tokio::spawn` — single-tenant agents should surface panics, not mask them with infinite retries
+- Simplify DB circuit breaker: single `AtomicU64` (last failure timestamp) replaces fail counter + opened_at pair. Circuit open = within 60s of last failure
+- Remove global magic link rate limit (`magic_link_window`, `magic_link_count` atomics): per-IP is sufficient for single-tenant, eliminates cross-core cache line bouncing
+- Remove background rate limiter eviction task: lazy eviction on DashMap overflow is sufficient
+- Input validation tightened: `is_ascii_graphic() || b == b' '` rejects non-ASCII bytes (0x80+) that previously slipped through
+- SQLite `mmap_size` increased from 64MB to 256MB for zero-copy reads on single-tenant data
+- Net result: −358 lines, 1 fewer crate, 2 fewer spawned tasks, 3 fewer atomics in AppState
+
+**e3eb87e** — Hard conn lifetime, WAL checkpoint timeout, vault label validation, jemalloc default
+- `PooledConn::drop` force-closes connections held >60s instead of returning to pool (prevents leaks from panicked threads or stuck queries)
+- Final WAL checkpoint wrapped in 5s `tokio::time::timeout` to prevent indefinite hang on shutdown if DB is stuck
+- `vault::cmd_set` validates labels with printable ASCII check (defense-in-depth, matching server-side `is_valid_input`)
+- jemalloc is now the default feature (`cargo build` enables it; `--no-default-features` to opt out)
+
+**1ba345e** — DashMap rate limiter, flock PID locking, jemalloc opt-in, connection leak detection
+- Replace `Mutex<HashMap>` rate limiter with `DashMap` (sharded locks, no global contention under high concurrency)
+- PID file locking via `flock` prevents double-start races; lock auto-released on crash by kernel
+- Optional jemalloc allocator (`--features jemalloc`) for long-lived Linux deployments to prevent RSS bloat
+- `PooledConn` tracks hold time, warns on connections held >30s (leak detection)
+- Panic hook cleans up PID file on fatal panic
+- `PRAGMA optimize` added to hourly cleanup for SQLite query planner stats
+- Rate limiter eviction moved from hot path to background cleanup (`DashMap::len()` check replaces per-request `retain`)
+
+**a609534** — Exponential backoff for supervised tasks, deposit_log retention
+- `spawn_supervised` uses exponential backoff (5s → 10s → ... → 320s cap) instead of fixed 5s delay to prevent spin loops on persistent failures (e.g. disk full)
+- Cleanup task purges `deposit_log` entries older than 90 days to prevent unbounded disk growth on long-lived servers
+
+**fdee3d2** — Harden server: 404-everything, SIGTERM/SIGHUP handling, shutdown WAL checkpoint, ciphertext size limit, SQLite mmap
+- All HTTP error paths return 404 (no 500s) to prevent information leakage
+- `shutdown_signal()` handles SIGTERM (from `atomic stop`) and SIGINT
+- `kill -HUP` triggers immediate TLS cert reload on Unix (zero-delay vs 12h poll)
+- Final WAL checkpoint (TRUNCATE) on shutdown for data integrity
+- Graceful shutdown timeout 10s → 30s for slow-disk WAL merge
+- `decrypt()` rejects ciphertext >16MB before allocation (resource exhaustion defense)
+- SQLite: `wal_autocheckpoint=1000` pages, `mmap_size=64MB` for read throughput
+
+**a7d7afb** — Resilience hardening: supervised tasks, health endpoint, input validation, SQLite tuning
+- Background tasks (WAL checkpoint, DB cleanup) auto-restart on panic with 5s backoff
+- `/_/health` endpoint: checks DB + agent.json, returns 200/503 for load balancer integration
+- Input validation rejects non-printable chars and labels > 256 bytes on deposit and magic link paths
+- SQLite page cache bumped to 64MB, temp tables stored in memory
+- X-Forwarded-For warning when header present but `behind_proxy=false` (misconfiguration detection)
+- Mutex poisoning recovery uses `into_inner()` consistently across all lock sites
+
+**fcfffe5** — Production hardening: SQLite resilience, fsync durability, WAL checkpointing, zeroize decrypt output
+- SQLite: `busy_timeout=5s`, `journal_size_limit=64MB`, `synchronous=NORMAL` (WAL-safe)
+- Atomic writes: fsync data + parent directory on Unix for crash safety
+- Background WAL checkpoint (TRUNCATE) every 5 min to cap disk growth
+- X-Forwarded-For IP validation to reject spoofed non-IP values
+- `decrypt()` returns `Zeroizing<Vec<u8>>` — plaintext wiped from memory on drop
+
+**a3f4688** — Rate limiter GC, supervisor circuit breaker, WAL checkpoint strategy, PID race fix
+- Rate limiter evicts stale entries on every access (bounded memory under DDoS/IPv6 scanning)
+- Supervisor circuit breaker: process aborts after 5 restarts in 5 minutes (prevents resource exhaustion on unrecoverable errors)
+- WAL checkpointing split: PASSIVE every 5m (non-blocking), TRUNCATE hourly (reclaims disk)
+- `atomic stop`: kill -0 probe before SIGTERM to minimize PID reuse race window
+
+**1b65780** — Connection pool, handler timeouts, credential zeroize, startup guards
+- Replace `Mutex<Connection>` with zero-dep channel-based `DbPool` (4 conns), unlocking WAL concurrent readers
+- Wrap handler DB ops in `tokio::time::timeout(5s)` to prevent unbounded task accumulation
+- Lower SQLite `busy_timeout` to 4s (below tokio 5s) for clean BUSY errors before task cancellation
+- Zeroize credential JSON buffer in `save()` via `Zeroizing<Vec<u8>>` — private key material no longer lingers in freed heap
+- Startup guard: warn if `RLIMIT_NOFILE < 4096` (prevents cryptic fd exhaustion under TLS load)
+- Startup guard: warn if log file exceeds 100MB (prevents disk-full failures on vault atomic writes)
+
+**7b45baf** — Replace exit(1) circuit breaker with max backoff, monotonic rate limiter, bounded pool
+- Circuit breaker no longer calls `process::exit(1)` — enters 320s max backoff instead, so destructors run (Zeroizing wipes vault keys, final WAL checkpoint completes)
+- Rate limiter uses monotonic `Instant` instead of wall-clock `i64` timestamps, preventing clock-skew manipulation of rate windows
+- Rate limiter eviction split into dedicated 5-minute task (was hourly), bounding DashMap memory under sustained attack
+- Connection pool uses bounded `sync_channel(size)` instead of unbounded `channel()` for explicit capacity enforcement
+
+**64d8ea4** — Zeroize vault plaintext return, cleanup indexes, paginated deletes
+- `vault_get` returns `Zeroizing<String>` so decrypted plaintext is wiped from heap on drop instead of left in freed memory
+- Added indexes on `expires_at`, `used_at`, `deposited_at` columns to eliminate full table scans during hourly cleanup
+- Paginated cleanup DELETEs (1000 rows/batch via rowid subquery) to prevent long WAL write locks under heavy load
+
+**756eadb** — Cooperative conn interrupt, prepared statement cache, request timeout, global magic link rate limit
+- `db.rs`: call `interrupt()` before force-closing stale SQLite connections for clean WAL rollback
+- Hot-path DB queries (`deposit`, `magic_link`, `vault`) switched to `prepare_cached()` to eliminate repeated SQL parse overhead
+- 30s global request timeout middleware as defense-in-depth against slow clients or stuck handlers
+- Pool size configurable via `ATOMIC_POOL_SIZE` env var (1–64, default auto-detect)
+- Rate limiter evicts one expired entry inline when DashMap is full instead of blanket-denying new IPs
+- Global per-second rate limit (20/s) on magic link claims prevents distributed brute-force
+
+**1c4ad26** — Kill auto-TLS/acme.sh, sharded-mutex rate limiter, Condvar pool, drop parse_duration, strip magic link hints, const-table validation, remove libc/dashmap/rustc-hash
+- `tls.rs`: remove Auto-TLS entirely — delete acme.sh shell execution, issue_cert, ensure_acme_sh, spawn_renewal_watcher. TLS now requires BYO cert (`--tls-cert`/`--tls-key`) or `--no-tls`. Eliminates shell injection risk and ~200 lines.
+- `server.rs`: replace DashMap with 8-shard `Mutex<HashMap>` rate limiter — removes `dashmap` + `rustc-hash` deps, zero contention for <10k entries, hourly stale cleanup.
+- `server.rs`: const lookup table (`ASCII_OK[256]`) for input validation — branchless, cache-friendly, auto-vectorizes.
+- `server.rs`: remove `libc::setrlimit` RLIMIT_NOFILE block — fd limits are sysadmin responsibility. Drops `libc` dep and only unsafe-adjacent code.
+- `server.rs`: SeqCst ordering on shutdown drain loop; hourly cleanup evicts stale rate limiter entries.
+- `db.rs`: replace `mpsc::sync_channel` pool with `Mutex<Vec>` + `Condvar` — simpler, faster for pool sizes 2-8. Same RAII guard, poison detection, panic-safe return.
+- `db.rs`: schema migration drops `hint` column from `magic_links` table.
+- `deposit.rs`: delete `parse_duration()` — CLI `--expires` now accepts u64 seconds directly. Removes suffix parsing, overflow checks, and 6 tests.
+- `deposit.rs`: remove debug logging from `verify_signature` — silent failure prevents info leakage.
+- `magic_link.rs`: strip 2-char hint from magic links — no longer store or display code prefix (metadata leak).
+- `init.rs`: require explicit `--tls-cert`/`--tls-key` or `--no-tls` (no more implicit auto-TLS).
+- Net: -479 lines, -3 dependencies (dashmap, rustc-hash, libc), 65 tests passing.
+
+**72f8305** — Constant-time magic link, fs cert watcher, FxHasher rate limiter, Acquire/Release circuit breaker, in-flight drain
+- `magic_link.rs`: SELECT + `subtle::ConstantTimeEq` before DELETE prevents timing side-channels on code existence
+- `main.rs`: jemalloc background thread enabled for aggressive memory purging of zeroed key material
+- `tls.rs`: 12h cert polling replaced with `notify` filesystem watcher (kqueue/inotify) + polling fallback for network FS
+- `server.rs`: DashMap rate limiter uses `FxHasher` (~2-3x faster for IP keys vs SipHash)
+- `server.rs`: circuit breaker atomics upgraded from `Relaxed` to `Acquire/Release` for ARM/weak-ordering correctness
+- `server.rs`: in-flight request counter with 30s drain before WAL checkpoint on shutdown
+- `server.rs`: `MAX_BODY_SIZE` reduced from 1MB to 64KB (sufficient for secrets/API keys/certs)
+- `db.rs`: `catch_unwind` in `PooledConn::Drop` prevents double-panic abort from skipping `Zeroizing` destructors
+
+**4bc32f4** — Pool poison detection, DB circuit breaker, RLIMIT_NOFILE enforcement, proactive WAL truncation
+- `PooledConn::drop` checks `is_autocommit()` and rolls back active transactions before returning to pool (prevents poisoned connections)
+- Per-request DB circuit breaker: opens after 5 consecutive failures, returns 503+Retry-After:30 for 30s cool-down
+- Startup enforces RLIMIT_NOFILE ≥4096 via `libc::setrlimit`, raises soft limit toward 65535 (prevents "too many open files" under load)
+- WAL checkpoint task escalates from PASSIVE to TRUNCATE when WAL exceeds 40MB (prevents unbounded WAL growth)
+- Rate limiter `DashMap::retain()` offloaded to `spawn_blocking` to avoid stalling async executor under 100k+ IP entries
+- `X-Frame-Options: DENY` security header added to all responses
+
+**033e801** — Connection max-lifetime recycling, hard heap limit, zero-copy sig decode, safer shutdown
+- Pooled SQLite connections recycled after 30 min to reset allocator fragmentation (new `created_at` tracking)
+- `PRAGMA hard_heap_limit=128MB` caps process-wide SQLite memory to prevent OOM
+- Prepared statement cache capacity increased to 100 (from default 16)
+- Shutdown WAL checkpoint uses RESTART with PASSIVE fallback instead of TRUNCATE (avoids indefinite blocking)
+- Health endpoint checks disk space (>100MB free via `fs2::available_space`) to prevent disk-full corruption
+- Ed25519 signature base64 decode uses stack-allocated `[u8; 64]` instead of heap `Vec` (zero-alloc hot path)
+- Panic hook cleans orphaned `.tmp.*` files from `write_secure` atomic write pattern
+
+**56ee9d7** — zero-slack vault zeroization, credentials shrink_to_fit, SQLite connection recycling
+- Vault `decrypt()` returns `Zeroizing<Box<[u8]>>` instead of `Zeroizing<Vec<u8>>` — `into_boxed_slice()` guarantees capacity==len, so Zeroizing wipes the entire allocation with no unzeroed slack bytes
+- Credentials `save()` calls `shrink_to_fit()` on serialized JSON buffer before write, eliminating capacity slack so Zeroizing covers all bytes containing key material
+- SQLite connection pool: 1-hour max lifetime (`MAX_CONN_LIFETIME`) prevents gradual RSS growth from accumulated prepared-statement caches, schema caches, and WAL index pages; expired connections transparently replaced on next `get()`
+
+**21f5e2e** — verify_strict, single-alloc encrypt, stack-allocated key/sig decode
+- Ed25519 `verify` → `verify_strict` in deposit verification to prevent signature malleability
+- Vault encrypt uses `encrypt_in_place_detached` — single allocation, exact-sized buffer (eliminates intermediate Vec)
+- `decode_public_key`, `decode_private_key`, `decode_signature` decode into stack buffers instead of heap-allocated `decode_vec`
+- `is_valid_input` uses idiomatic `!s.is_empty()`
+
+**5fc281e** — AES-GCM zeroize, dynamic pool sizing, health check WAL monitor
+- Enable `zeroize` feature on `aes-gcm`: AES key schedule is now wiped from memory on cipher drop
+- DB connection pool sized dynamically via `available_parallelism()` (clamped 2..8) instead of hardcoded 4
+- Health endpoint (`/_/health`) now reports WAL file size, returns degraded if WAL exceeds 50MB
+
 ## Roadmap
 
 - [x] Identity (agent.json + Ed25519)
 - [x] Deposit box (signed URLs, encrypted vault, audit log)
-- [x] Magic links (domain verification)
 - [x] Request signing
-- [x] Auto-TLS
+- [x] TLS (BYO cert)
 - [ ] NS delegation + hosted subdomains
 - [ ] Agent email
 - [ ] Capability declarations
diff --git a/src/agent_json.rs b/src/agent_json.rs
index 0e263b0..2ae30a8 100644
--- a/src/agent_json.rs
+++ b/src/agent_json.rs
@@ -22,7 +22,7 @@ impl AgentJson {
             public_key: public_key.to_string(),
             status: "active".to_string(),
             deposit: format!("{base_url}/d/"),
-            created_at: chrono::Utc::now().to_rfc3339(),
+            created_at: crate::config::format_rfc3339(crate::config::epoch_secs() as i64),
         }
     }
 
diff --git a/src/cli.rs b/src/cli.rs
index d7f086d..74cc653 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -64,9 +64,9 @@ pub enum Command {
         #[arg(long)]
         label: String,
 
-        /// Expiry duration (e.g., 10m, 1h)
-        #[arg(long, default_value = "10m")]
-        expires: String,
+        /// Expiry in seconds (max 86400)
+        #[arg(long, default_value = "600")]
+        expires: u64,
     },
 
     /// Show deposit audit log
@@ -82,12 +82,6 @@ pub enum Command {
         command: VaultCommand,
     },
 
-    /// Host a verification code for domain proof
-    MagicLink {
-        #[command(subcommand)]
-        command: MagicLinkCommand,
-    },
-
     /// Sign an outgoing HTTP request
     Sign {
         /// Print modified command without executing
@@ -98,18 +92,6 @@ pub enum Command {
         #[arg(trailing_var_arg = true, required = true)]
         command: Vec<String>,
     },
-
-    /// Key management
-    Key {
-        #[command(subcommand)]
-        command: KeyCommand,
-    },
-
-    /// Systemd service management
-    Service {
-        #[command(subcommand)]
-        command: ServiceCommand,
-    },
 }
 
 #[derive(Subcommand)]
@@ -134,35 +116,3 @@ pub enum VaultCommand {
         label: String,
     },
 }
-
-#[derive(Subcommand)]
-pub enum MagicLinkCommand {
-    /// Host a code for a service to verify
-    Host {
-        /// The verification code to host
-        code: String,
-        /// How long to host it (e.g., 5m, 10m)
-        #[arg(long, default_value = "5m")]
-        expires: String,
-    },
-    /// List active magic links
-    List,
-}
-
-#[derive(Subcommand)]
-pub enum KeyCommand {
-    /// Rotate the agent's keypair
-    Rotate,
-    /// Emergency revoke the agent's identity
-    Revoke,
-}
-
-#[derive(Subcommand)]
-pub enum ServiceCommand {
-    /// Install as systemd service
-    Install,
-    /// Uninstall systemd service
-    Uninstall,
-    /// Show service status
-    Status,
-}
diff --git a/src/config.rs b/src/config.rs
index 36d0953..233903c 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -12,7 +12,8 @@ pub fn write_secure(path: &Path, data: &[u8]) -> Result<()> {
     // Random suffix prevents collisions between concurrent writers.
     let mut suffix = [0u8; 8];
     rand::rngs::OsRng.fill_bytes(&mut suffix);
-    let tmp_path = path.with_extension(format!("tmp.{}", hex::encode(suffix)));
+    let suffix_hex = u64::from_ne_bytes(suffix);
+    let tmp_path = path.with_extension(format!("tmp.{suffix_hex:016x}"));
     let mut file = std::fs::OpenOptions::new()
         .write(true)
         .create(true)
@@ -22,14 +23,27 @@ pub fn write_secure(path: &Path, data: &[u8]) -> Result<()> {
         .with_context(|| format!("Failed to write {}", tmp_path.display()))?;
     file.write_all(data)
         .with_context(|| format!("Failed to write {}", tmp_path.display()))?;
+    file.sync_all()
+        .with_context(|| format!("Failed to fsync {}", tmp_path.display()))?;
     drop(file);
     std::fs::rename(&tmp_path, path)
         .with_context(|| format!("Failed to rename {} to {}", tmp_path.display(), path.display()))?;
+
+    // fsync parent directory to ensure rename durability (POSIX requirement)
+    #[cfg(unix)]
+    if let Some(parent) = path.parent() {
+        if let Ok(dir) = std::fs::File::open(parent) {
+            let _ = dir.sync_all();
+        }
+    }
+
     Ok(())
 }
 
 pub fn atomic_dir() -> Result<PathBuf> {
-    let home = dirs::home_dir().context("Could not determine home directory")?;
+    let home = std::env::var("HOME")
+        .map(PathBuf::from)
+        .context("Could not determine home directory (HOME not set)")?;
     Ok(home.join(".atomic"))
 }
 
@@ -45,10 +59,6 @@ pub fn deposits_log_path() -> Result<PathBuf> {
     Ok(atomic_dir()?.join("deposits.log"))
 }
 
-pub fn tls_dir() -> Result<PathBuf> {
-    Ok(atomic_dir()?.join("tls"))
-}
-
 pub fn pid_path() -> Result<PathBuf> {
     Ok(atomic_dir()?.join("atomic.pid"))
 }
@@ -57,6 +67,60 @@ pub fn log_path() -> Result<PathBuf> {
     Ok(atomic_dir()?.join("atomic.log"))
 }
 
+/// Acquire an exclusive flock on the PID file to prevent double-start races.
+/// Returns the open File handle — caller must keep it alive for the duration of the process.
+/// The lock is automatically released by the kernel when the process exits (even on crash).
+pub fn acquire_pid_lock(path: &Path) -> Result<std::fs::File> {
+    use fs2::FileExt;
+    use std::io::Write;
+
+    let file = std::fs::OpenOptions::new()
+        .write(true)
+        .create(true)
+        .truncate(false)
+        .open(path)
+        .with_context(|| format!("Failed to open PID file at {}", path.display()))?;
+
+    file.try_lock_exclusive()
+        .context("Another atomic process is already running (PID file locked)")?;
+
+    // Write PID after lock acquired
+    let mut f = &file;
+    file.set_len(0)?;
+    f.write_all(std::process::id().to_string().as_bytes())?;
+    file.sync_all()?;
+    Ok(file)
+}
+
+/// Current UTC time as Unix epoch seconds. Single syscall, no allocation.
+pub fn epoch_secs() -> u64 {
+    std::time::SystemTime::now()
+        .duration_since(std::time::UNIX_EPOCH)
+        .unwrap_or_default()
+        .as_secs()
+}
+
+/// Format a Unix timestamp as RFC 3339 UTC (e.g. "2024-01-15T12:30:00Z").
+/// Uses the Hinnant civil_from_days algorithm. No chrono dependency.
+pub fn format_rfc3339(epoch: i64) -> String {
+    let secs = epoch.rem_euclid(86400) as u32;
+    let days = epoch.div_euclid(86400) as i32;
+    let z = days + 719468;
+    let era = if z >= 0 { z } else { z - 146097 } / 146097;
+    let doe = (z - era * 146097) as u32;
+    let yoe = (doe - doe / 1460 + doe / 36524 - doe / 146096) / 365;
+    let y = yoe as i32 + era * 400;
+    let doy = doe - (365 * yoe + yoe / 4 - yoe / 100);
+    let mp = (5 * doy + 2) / 153;
+    let d = doy - (153 * mp + 2) / 5 + 1;
+    let m = if mp < 10 { mp + 3 } else { mp - 9 };
+    let y = if m <= 2 { y + 1 } else { y };
+    let h = secs / 3600;
+    let min = (secs % 3600) / 60;
+    let s = secs % 60;
+    format!("{y:04}-{m:02}-{d:02}T{h:02}:{min:02}:{s:02}Z")
+}
+
 pub fn ensure_atomic_dir() -> Result<PathBuf> {
     let dir = atomic_dir()?;
     if !dir.exists() {
@@ -104,8 +168,26 @@ mod tests {
     #[test]
     fn atomic_dir_under_home() {
         let dir = atomic_dir().unwrap();
-        let home = dirs::home_dir().unwrap();
+        let home = PathBuf::from(std::env::var("HOME").unwrap());
         assert!(dir.starts_with(&home));
         assert!(dir.ends_with(".atomic"));
     }
+
+    #[test]
+    fn format_rfc3339_epoch_zero() {
+        assert_eq!(format_rfc3339(0), "1970-01-01T00:00:00Z");
+    }
+
+    #[test]
+    fn format_rfc3339_known_date() {
+        // 2024-01-01T00:00:00Z
+        assert_eq!(format_rfc3339(1704067200), "2024-01-01T00:00:00Z");
+    }
+
+    #[test]
+    fn epoch_secs_is_reasonable() {
+        let now = epoch_secs();
+        assert!(now > 1_700_000_000); // after 2023
+        assert!(now < 4_000_000_000); // before 2096
+    }
 }
diff --git a/src/credentials.rs b/src/credentials.rs
index 1858c95..1a2bcc8 100644
--- a/src/credentials.rs
+++ b/src/credentials.rs
@@ -65,16 +65,21 @@ impl Credentials {
     }
 
     pub fn signing_key(&self) -> Result<SigningKey> {
-        signing::decode_private_key(&self.private_key)
+        Ok(signing::decode_private_key(&self.private_key)?)
     }
 
     pub fn verifying_key(&self) -> Result<VerifyingKey> {
-        signing::decode_public_key(&self.public_key)
+        Ok(signing::decode_public_key(&self.public_key)?)
     }
 
     pub fn save(&self, path: &Path) -> Result<()> {
-        let json = serde_json::to_string_pretty(self).context("Failed to serialize credentials")?;
-        crate::config::write_secure(path, json.as_bytes())
+        // Write directly into a Zeroizing<Vec<u8>> so the private key material
+        // in the serialized JSON is zeroed on drop, not left in freed heap memory.
+        let mut buf = zeroize::Zeroizing::new(Vec::new());
+        serde_json::to_writer_pretty(&mut *buf, self).context("Failed to serialize credentials")?;
+        // Eliminate capacity slack so Zeroizing wipes all bytes containing key material.
+        buf.shrink_to_fit();
+        crate::config::write_secure(path, &buf)
     }
 
     pub fn load(path: &Path) -> Result<Self> {
diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs
index 67883a9..dfcfb31 100644
--- a/src/crypto/mod.rs
+++ b/src/crypto/mod.rs
@@ -1,2 +1,18 @@
 pub mod signing;
 pub mod vault;
+
+/// Zero-allocation error type for cryptographic operations.
+/// Prevents information leakage — no file paths, key IDs, or internal details.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, thiserror::Error)]
+pub enum CryptoError {
+    #[error("invalid key")]
+    InvalidKey,
+    #[error("invalid signature")]
+    InvalidSignature,
+    #[error("invalid ciphertext")]
+    InvalidCiphertext,
+    #[error("key derivation failed")]
+    KeyDerivationFailed,
+    #[error("encryption failed")]
+    EncryptionFailed,
+}
diff --git a/src/crypto/signing.rs b/src/crypto/signing.rs
index 17be4ae..ba299b1 100644
--- a/src/crypto/signing.rs
+++ b/src/crypto/signing.rs
@@ -1,10 +1,10 @@
-use anyhow::{Context, Result};
-use base64::engine::general_purpose::STANDARD as BASE64;
-use base64::Engine;
+use base64ct::{Base64, Encoding};
 use ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};
 use rand::rngs::OsRng;
 use zeroize::Zeroizing;
 
+use super::CryptoError;
+
 pub fn generate_keypair() -> (SigningKey, VerifyingKey) {
     let signing_key = SigningKey::generate(&mut OsRng);
     let verifying_key = signing_key.verifying_key();
@@ -23,46 +23,50 @@ pub fn verify(verifying_key: &VerifyingKey, message: &[u8], signature: &Signatur
 
 // Wire format: "ed25519:<base64 bytes>"
 pub fn encode_public_key(verifying_key: &VerifyingKey) -> String {
-    format!("ed25519:{}", BASE64.encode(verifying_key.as_bytes()))
+    format!("ed25519:{}", Base64::encode_string(verifying_key.as_bytes()))
 }
 
-pub fn decode_public_key(encoded: &str) -> Result<VerifyingKey> {
+pub fn decode_public_key(encoded: &str) -> Result<VerifyingKey, CryptoError> {
     let b64 = encoded
         .strip_prefix("ed25519:")
-        .context("Public key must start with 'ed25519:'")?;
-    let bytes = BASE64.decode(b64).context("Invalid base64 in public key")?;
-    let key_bytes: [u8; 32] = bytes
-        .try_into()
-        .map_err(|_| anyhow::anyhow!("Public key must be 32 bytes"))?;
-    VerifyingKey::from_bytes(&key_bytes).context("Invalid Ed25519 public key")
+        .ok_or(CryptoError::InvalidKey)?;
+    // Stack-allocated decode: no heap allocation for 32-byte key.
+    let mut buf = [0u8; 32];
+    let decoded = Base64::decode(b64, &mut buf).map_err(|_| CryptoError::InvalidKey)?;
+    if decoded.len() != 32 {
+        return Err(CryptoError::InvalidKey);
+    }
+    VerifyingKey::from_bytes(&buf).map_err(|_| CryptoError::InvalidKey)
 }
 
 pub fn encode_private_key(signing_key: &SigningKey) -> String {
     let key_bytes = Zeroizing::new(signing_key.to_bytes());
-    BASE64.encode(*key_bytes)
+    Base64::encode_string(&*key_bytes)
 }
 
-pub fn decode_private_key(encoded: &str) -> Result<SigningKey> {
-    let bytes = Zeroizing::new(BASE64.decode(encoded).context("Invalid base64 in private key")?);
-    if bytes.len() != 32 {
-        anyhow::bail!("Private key must be 32 bytes");
-    }
+pub fn decode_private_key(encoded: &str) -> Result<SigningKey, CryptoError> {
+    // Stack-allocated decode directly into Zeroizing — no intermediate Vec.
     let mut key_bytes = Zeroizing::new([0u8; 32]);
-    key_bytes.copy_from_slice(&bytes);
+    let decoded = Base64::decode(encoded, key_bytes.as_mut()).map_err(|_| CryptoError::InvalidKey)?;
+    if decoded.len() != 32 {
+        return Err(CryptoError::InvalidKey);
+    }
     Ok(SigningKey::from_bytes(&key_bytes))
 }
 
 pub fn encode_signature(signature: &Signature) -> String {
-    BASE64.encode(signature.to_bytes())
+    Base64::encode_string(&signature.to_bytes())
 }
 
 #[allow(dead_code)]
-pub fn decode_signature(encoded: &str) -> Result<Signature> {
-    let bytes = BASE64.decode(encoded).context("Invalid base64 in signature")?;
-    let sig_bytes: [u8; 64] = bytes
-        .try_into()
-        .map_err(|_| anyhow::anyhow!("Signature must be 64 bytes"))?;
-    Ok(Signature::from_bytes(&sig_bytes))
+pub fn decode_signature(encoded: &str) -> Result<Signature, CryptoError> {
+    // Stack-allocated decode: no heap allocation for 64-byte signature.
+    let mut buf = [0u8; 64];
+    let decoded = Base64::decode(encoded, &mut buf).map_err(|_| CryptoError::InvalidSignature)?;
+    if decoded.len() != 64 {
+        return Err(CryptoError::InvalidSignature);
+    }
+    Ok(Signature::from_bytes(&buf))
 }
 
 #[cfg(test)]
@@ -131,7 +135,7 @@ mod tests {
 
     #[test]
     fn decode_public_key_wrong_length() {
-        let short = BASE64.encode([0u8; 16]); // 16 bytes, need 32
+        let short = Base64::encode_string(&[0u8; 16]); // 16 bytes, need 32
         assert!(decode_public_key(&format!("ed25519:{short}")).is_err());
     }
 
@@ -142,13 +146,13 @@ mod tests {
 
     #[test]
     fn decode_private_key_wrong_length() {
-        let short = BASE64.encode([0u8; 16]);
+        let short = Base64::encode_string(&[0u8; 16]);
         assert!(decode_private_key(&short).is_err());
     }
 
     #[test]
     fn decode_signature_wrong_length() {
-        let short = BASE64.encode([0u8; 32]); // 32 bytes, need 64
+        let short = Base64::encode_string(&[0u8; 32]); // 32 bytes, need 64
         assert!(decode_signature(&short).is_err());
     }
 
diff --git a/src/crypto/vault.rs b/src/crypto/vault.rs
index 00ddea3..93dfdb7 100644
--- a/src/crypto/vault.rs
+++ b/src/crypto/vault.rs
@@ -1,59 +1,66 @@
 use aes_gcm::{
-    aead::{Aead, KeyInit},
+    aead::{Aead, AeadInPlace, KeyInit},
     Aes256Gcm, Nonce,
 };
-use anyhow::{Context, Result};
 use hkdf::Hkdf;
 use rand::RngCore;
 use sha2::Sha256;
 use zeroize::Zeroizing;
 
+use super::CryptoError;
+
 const NONCE_SIZE: usize = 12;
 const HKDF_SALT: &[u8] = b"atomic-v1";
+const MAX_CIPHERTEXT_SIZE: usize = 16 * 1024 * 1024; // 16 MB
 
 // HKDF with salt and "atomic-vault" context, so the vault key differs from the signing key.
-pub fn derive_vault_key(private_key_bytes: &[u8; 32]) -> Result<Zeroizing<[u8; 32]>> {
+pub fn derive_vault_key(private_key_bytes: &[u8; 32]) -> Result<Zeroizing<[u8; 32]>, CryptoError> {
     let hk = Hkdf::<Sha256>::new(Some(HKDF_SALT), private_key_bytes);
     let mut key = Zeroizing::new([0u8; 32]);
     hk.expand(b"atomic-vault", key.as_mut())
-        .map_err(|_| anyhow::anyhow!("HKDF expand failed"))?;
+        .map_err(|_| CryptoError::KeyDerivationFailed)?;
     Ok(key)
 }
 
 // Output: 12-byte nonce prepended to ciphertext.
-pub fn encrypt(key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>> {
+pub fn encrypt(key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>, CryptoError> {
     let cipher = Aes256Gcm::new_from_slice(key)
-        .map_err(|e| anyhow::anyhow!("Failed to create cipher: {e}"))?;
+        .map_err(|_| CryptoError::EncryptionFailed)?;
 
     let mut nonce_bytes = [0u8; NONCE_SIZE];
     rand::rngs::OsRng.fill_bytes(&mut nonce_bytes);
     let nonce = Nonce::from_slice(&nonce_bytes);
 
-    let ciphertext = cipher
-        .encrypt(nonce, plaintext)
-        .map_err(|e| anyhow::anyhow!("Encryption failed: {e}"))?;
-
-    let mut result = Vec::with_capacity(NONCE_SIZE + ciphertext.len());
-    result.extend_from_slice(&nonce_bytes);
-    result.extend_from_slice(&ciphertext);
-    Ok(result)
+    // Single allocation, exact size: nonce(12) + ciphertext(len) + tag(16).
+    // encrypt_in_place_detached avoids the intermediate Vec that Aead::encrypt allocates.
+    let mut out = Vec::with_capacity(NONCE_SIZE + plaintext.len() + 16);
+    out.extend_from_slice(&nonce_bytes);
+    out.extend_from_slice(plaintext);
+    let tag = cipher
+        .encrypt_in_place_detached(nonce, b"", &mut out[NONCE_SIZE..])
+        .map_err(|_| CryptoError::EncryptionFailed)?;
+    out.extend_from_slice(&tag);
+    Ok(out)
 }
 
 // Expects 12-byte nonce prepended to ciphertext (same format encrypt() produces).
-pub fn decrypt(key: &[u8; 32], data: &[u8]) -> Result<Vec<u8>> {
-    if data.len() < NONCE_SIZE {
-        anyhow::bail!("Encrypted data too short");
+// Returns Zeroizing<Box<[u8]>> — into_boxed_slice() guarantees capacity == len,
+// so Zeroizing wipes the entire allocation with no unzeroed slack bytes.
+pub fn decrypt(key: &[u8; 32], data: &[u8]) -> Result<Zeroizing<Box<[u8]>>, CryptoError> {
+    if data.len() < NONCE_SIZE || data.len() > MAX_CIPHERTEXT_SIZE {
+        return Err(CryptoError::InvalidCiphertext);
     }
 
     let (nonce_bytes, ciphertext) = data.split_at(NONCE_SIZE);
     let cipher = Aes256Gcm::new_from_slice(key)
-        .map_err(|e| anyhow::anyhow!("Failed to create cipher: {e}"))?;
+        .map_err(|_| CryptoError::InvalidCiphertext)?;
     let nonce = Nonce::from_slice(nonce_bytes);
 
-    cipher
+    let plaintext = cipher
         .decrypt(nonce, ciphertext)
-        .map_err(|_| anyhow::anyhow!("Decryption failed (wrong key or corrupted data)"))
-        .context("Vault decryption failed")
+        .map_err(|_| CryptoError::InvalidCiphertext)?;
+
+    Ok(Zeroizing::new(plaintext.into_boxed_slice()))
 }
 
 #[cfg(test)]
@@ -66,7 +73,7 @@ mod tests {
         let plaintext = b"secret data here";
         let encrypted = encrypt(&key, plaintext).unwrap();
         let decrypted = decrypt(&key, &encrypted).unwrap();
-        assert_eq!(plaintext.to_vec(), decrypted);
+        assert_eq!(plaintext.as_slice(), &**decrypted);
     }
 
     #[test]
@@ -107,12 +114,19 @@ mod tests {
         assert!(decrypt(&key, &[0u8; 5]).is_err());
     }
 
+    #[test]
+    fn decrypt_oversized_rejected() {
+        let key = [42u8; 32];
+        let oversized = vec![0u8; MAX_CIPHERTEXT_SIZE + 1];
+        assert!(matches!(decrypt(&key, &oversized), Err(CryptoError::InvalidCiphertext)));
+    }
+
     #[test]
     fn encrypt_decrypt_empty_plaintext() {
         let key = [42u8; 32];
         let encrypted = encrypt(&key, b"").unwrap();
         let decrypted = decrypt(&key, &encrypted).unwrap();
-        assert!(decrypted.is_empty());
+        assert!((*decrypted).is_empty());
     }
 
     #[test]
diff --git a/src/db.rs b/src/db.rs
index af79752..b9540ff 100644
--- a/src/db.rs
+++ b/src/db.rs
@@ -1,12 +1,152 @@
 use anyhow::{Context, Result};
 use rusqlite::Connection;
+use std::collections::VecDeque;
+use std::path::{Path, PathBuf};
+use std::sync::atomic::{AtomicBool, Ordering};
+use std::sync::{Condvar, Mutex};
+use std::time::{Duration, Instant};
 
 use crate::config;
 
-pub fn open() -> Result<Connection> {
-    let db_path = config::atomic_dir()?.join("atomic.db");
+/// Recycle connections after 1 hour to prevent RSS growth from SQLite's
+/// accumulated prepared-statement caches, schema caches, and WAL index pages.
+const MAX_CONN_LIFETIME: Duration = Duration::from_secs(3600);
+
+/// Zero-dependency connection pool for SQLite.
+/// Uses Mutex<VecDeque> + Condvar — O(1) push/pop for small pool sizes (2-8).
+/// WAL mode allows concurrent readers; the pool prevents serialization
+/// behind a single Mutex<Connection>.
+pub struct DbPool {
+    conns: Mutex<VecDeque<(Connection, Instant)>>,
+    available: Condvar,
+    shutdown: AtomicBool,
+    db_path: PathBuf,
+}
+
+/// RAII guard that returns the connection to the pool on drop.
+/// Tracks hold time to detect potential connection leaks.
+pub struct PooledConn<'a> {
+    pool: &'a DbPool,
+    conn: Option<Connection>,
+    created_at: Instant,
+    acquired_at: Instant,
+}
+
+impl<'a> std::ops::Deref for PooledConn<'a> {
+    type Target = Connection;
+    fn deref(&self) -> &Connection {
+        self.conn.as_ref().expect("PooledConn used after take")
+    }
+}
+
+impl Drop for PooledConn<'_> {
+    fn drop(&mut self) {
+        if let Some(c) = self.conn.take() {
+            let held = self.acquired_at.elapsed();
+            if held > Duration::from_secs(60) {
+                // Cooperatively interrupt any in-flight query before closing.
+                // This lets SQLite roll back cleanly instead of leaving the WAL
+                // in an undefined state from an aborted transaction.
+                c.get_interrupt_handle().interrupt();
+                tracing::warn!("SQLite connection held for {:?}, interrupted and dropping", held);
+                return;
+            }
+            if held > Duration::from_secs(30) {
+                tracing::warn!("SQLite connection held for {:?}, possible leak", held);
+            }
+            // Recycle expired connections: drop instead of returning to pool.
+            // The next get() will create a fresh replacement, releasing SQLite's
+            // accumulated caches (prepared statements, schema, WAL index pages).
+            if self.created_at.elapsed() > MAX_CONN_LIFETIME {
+                tracing::debug!("Recycling expired SQLite connection (age {:?})", self.created_at.elapsed());
+                // Notify so get() wakes up and creates a replacement.
+                self.pool.available.notify_one();
+                return;
+            }
+            // Poison detection: if a transaction is still active (e.g., handler panicked
+            // mid-write), roll it back before returning to the pool. Returning a dirty
+            // connection could corrupt subsequent operations on that pooled handle.
+            if !c.is_autocommit() {
+                tracing::warn!("Returning connection with active transaction, rolling back");
+                let _ = c.execute_batch("ROLLBACK");
+            }
+            // Panic-safe pool return: catch any panic during mutex lock to prevent
+            // double-panic abort (which would skip remaining destructors and Zeroizing).
+            let created_at = self.created_at;
+            let result = std::panic::catch_unwind(std::panic::AssertUnwindSafe(|| {
+                let mut conns = self.pool.conns.lock().unwrap_or_else(|e| e.into_inner());
+                conns.push_back((c, created_at));
+                self.pool.available.notify_one();
+            }));
+            if result.is_err() {
+                tracing::error!("Panic while returning connection to pool (connection leaked)");
+            }
+        }
+    }
+}
+
+impl DbPool {
+    /// Signal the pool to reject new acquisitions and wake all waiting threads.
+    /// Called during graceful shutdown to prevent threads from blocking on Condvar.
+    pub fn shutdown(&self) {
+        self.shutdown.store(true, Ordering::SeqCst);
+        self.available.notify_all();
+    }
+
+    /// Get a connection from the pool, blocking up to 5 seconds.
+    /// Expired connections (>1 hour) are transparently replaced with fresh ones.
+    pub fn get(&self) -> Result<PooledConn<'_>> {
+        if self.shutdown.load(Ordering::SeqCst) {
+            anyhow::bail!("DB pool shutting down");
+        }
+        let deadline = Instant::now() + Duration::from_secs(5);
+        let mut conns = self.conns.lock().unwrap_or_else(|e| e.into_inner());
+        loop {
+            if let Some((conn, created_at)) = conns.pop_front() {
+                // Recycle expired connections to release SQLite's internal caches.
+                if created_at.elapsed() > MAX_CONN_LIFETIME {
+                    drop(conn);
+                    match open_connection(&self.db_path) {
+                        Ok(fresh) => {
+                            return Ok(PooledConn {
+                                pool: self,
+                                conn: Some(fresh),
+                                created_at: Instant::now(),
+                                acquired_at: Instant::now(),
+                            });
+                        }
+                        Err(e) => {
+                            tracing::warn!("Failed to replace expired SQLite connection: {e}");
+                            continue;
+                        }
+                    }
+                }
+                return Ok(PooledConn {
+                    pool: self,
+                    conn: Some(conn),
+                    created_at,
+                    acquired_at: Instant::now(),
+                });
+            }
+            if self.shutdown.load(Ordering::SeqCst) {
+                anyhow::bail!("DB pool shutting down");
+            }
+            let remaining = deadline.saturating_duration_since(Instant::now());
+            if remaining.is_zero() {
+                anyhow::bail!("DB pool exhausted (5s timeout)");
+            }
+            let (guard, result) = self.available
+                .wait_timeout(conns, remaining)
+                .unwrap_or_else(|e| e.into_inner());
+            conns = guard;
+            if result.timed_out() && conns.is_empty() {
+                anyhow::bail!("DB pool exhausted (5s timeout)");
+            }
+        }
+    }
+}
 
-    // Pre-create DB file with restricted permissions (0600) before SQLite opens it
+fn ensure_db_file(db_path: &Path) -> Result<()> {
     #[cfg(unix)]
     if !db_path.exists() {
         use std::os::unix::fs::OpenOptionsExt;
@@ -14,47 +154,79 @@ pub fn open() -> Result<Connection> {
             .write(true)
             .create_new(true)
             .mode(0o600)
-            .open(&db_path)
+            .open(db_path)
             .with_context(|| format!("Failed to create database at {}", db_path.display()))?;
     }
+    Ok(())
+}
 
-    let conn = Connection::open(&db_path)
+fn open_connection(db_path: &Path) -> Result<Connection> {
+    let conn = Connection::open(db_path)
         .with_context(|| format!("Failed to open database at {}", db_path.display()))?;
 
+    // auto_vacuum must be set before first table creation; no-op on existing DBs.
+    // INCREMENTAL avoids full-vacuum stalls while reclaiming space from TTL deletes.
+    let _ = conn.pragma_update(None, "auto_vacuum", "INCREMENTAL");
     // WAL mode: fast reads, lets multiple processes access the file
     conn.pragma_update(None, "journal_mode", "WAL")?;
-    conn.pragma_update(None, "synchronous", "FULL")?;
-    conn.pragma_update(None, "cache_size", "-2000")?;
-
-    // CREATE TABLE IF NOT EXISTS is idempotent — safe to run every time
-    migrate(&conn)?;
+    conn.pragma_update(None, "synchronous", "NORMAL")?;
+    conn.pragma_update(None, "cache_size", "-64000")?;
+    // 4s busy_timeout: lower than the 5s tokio::time::timeout on handlers,
+    // so SQLite returns BUSY cleanly before the task gets cancelled.
+    conn.pragma_update(None, "busy_timeout", "4000")?;
+    conn.pragma_update(None, "temp_store", "MEMORY")?;
+    conn.pragma_update(None, "journal_size_limit", "67108864")?;
+    conn.pragma_update(None, "wal_autocheckpoint", "1000")?;
+    conn.pragma_update(None, "mmap_size", "268435456")?; // 256MB — zero-copy reads for single-tenant
+    // Process-wide SQLite memory limit to prevent OOM under sustained load
+    let _ = conn.pragma_update(None, "hard_heap_limit", "134217728"); // 128MB
+    // Increase prepared statement cache for hot query paths (default is 16)
+    conn.set_prepared_statement_cache_capacity(100);
 
     Ok(conn)
 }
 
-fn migrate(conn: &Connection) -> Result<()> {
-    // Migrate magic_links from old schema (plaintext `code`) to new (hashed `code_hash`).
-    // Magic links are short-lived, so dropping the table is safe.
-    let has_old_schema = conn
-        .prepare("SELECT code FROM magic_links LIMIT 0")
-        .is_ok();
-    if has_old_schema {
-        conn.execute_batch("DROP TABLE magic_links;")
-            .context("Failed to migrate magic_links table")?;
+/// Open a connection pool with `size` connections, each configured for WAL mode.
+/// Migrations run once on the first connection.
+pub fn open_pool(size: usize) -> Result<DbPool> {
+    let db_path = config::atomic_dir()?.join("atomic.db");
+    ensure_db_file(&db_path)?;
+
+    let first = open_connection(&db_path)?;
+    migrate(&first)?;
+    let now = Instant::now();
+
+    let mut conns = VecDeque::with_capacity(size);
+    conns.push_back((first, now));
+
+    for _ in 1..size {
+        conns.push_back((open_connection(&db_path)?, now));
     }
 
-    conn.execute_batch(
-        "CREATE TABLE IF NOT EXISTS magic_links (
-            code_hash  TEXT PRIMARY KEY,
-            hint       TEXT NOT NULL DEFAULT '',
-            expires_at INTEGER NOT NULL
-        );
+    Ok(DbPool {
+        conns: Mutex::new(conns),
+        available: Condvar::new(),
+        shutdown: AtomicBool::new(false),
+        db_path,
+    })
+}
+
+/// Open a single connection (for CLI commands that don't need a pool).
+pub fn open() -> Result<Connection> {
+    let db_path = config::atomic_dir()?.join("atomic.db");
+    ensure_db_file(&db_path)?;
+    let conn = open_connection(&db_path)?;
+    migrate(&conn)?;
+    Ok(conn)
+}
 
-        CREATE TABLE IF NOT EXISTS used_deposits (
+fn migrate(conn: &Connection) -> Result<()> {
+    conn.execute_batch(
+        "CREATE TABLE IF NOT EXISTS used_deposits (
             nonce      TEXT PRIMARY KEY,
             label      TEXT NOT NULL,
             used_at    INTEGER NOT NULL
-        );
+        ) WITHOUT ROWID;
 
         CREATE TABLE IF NOT EXISTS vault_secrets (
             label      TEXT PRIMARY KEY,
@@ -67,7 +239,10 @@ fn migrate(conn: &Connection) -> Result<()> {
             source_ip  TEXT,
             user_agent TEXT,
             deposited_at INTEGER NOT NULL
-        );",
+        );
+
+        CREATE INDEX IF NOT EXISTS idx_used_deposits_used_at ON used_deposits(used_at);
+        CREATE INDEX IF NOT EXISTS idx_deposit_log_deposited_at ON deposit_log(deposited_at);",
     )
     .context("Failed to run migrations")?;
     Ok(())
diff --git a/src/deposit.rs b/src/deposit.rs
index fa06f69..b43b3c2 100644
--- a/src/deposit.rs
+++ b/src/deposit.rs
@@ -1,6 +1,5 @@
 use anyhow::Result;
-use base64::engine::general_purpose::URL_SAFE_NO_PAD as B64URL;
-use base64::Engine;
+use base64ct::{Base64UrlUnpadded, Encoding};
 use serde::{Deserialize, Serialize};
 use std::time::Duration;
 
@@ -24,7 +23,7 @@ pub fn create_signed_token(
     let nonce = generate_nonce();
     let max_expiry: u64 = 24 * 3600; // 24 hours
     let secs = expires_in.as_secs().min(max_expiry);
-    let expires_at = chrono::Utc::now().timestamp() + i64::try_from(secs)
+    let expires_at = crate::config::epoch_secs() as i64 + i64::try_from(secs)
         .map_err(|_| anyhow::anyhow!("Duration too large"))?;
 
     let payload = DepositPayload {
@@ -34,53 +33,46 @@ pub fn create_signed_token(
     };
 
     let payload_json = serde_json::to_string(&payload)?;
-    let payload_b64 = B64URL.encode(payload_json.as_bytes());
+    let payload_b64 = Base64UrlUnpadded::encode_string(payload_json.as_bytes());
     let sig = signing::sign(signing_key, payload_b64.as_bytes());
-    let sig_b64 = B64URL.encode(sig.to_bytes());
+    let sig_b64 = Base64UrlUnpadded::encode_string(&sig.to_bytes());
 
     Ok(format!("{payload_b64}.{sig_b64}"))
 }
 
 /// Verify signature and expiry only (no DB access). Returns the payload if valid.
+/// Zero-allocation on failure — prevents DoS via invalid-request heap pressure.
+/// Silent on failure — no logging to prevent timing attacks and information leakage.
 pub fn verify_signature(
     token: &str,
     verifying_key: &ed25519_dalek::VerifyingKey,
 ) -> Option<DepositPayload> {
-    match try_verify_signature(token, verifying_key) {
-        Ok(p) => Some(p),
-        Err(e) => {
-            tracing::debug!("Deposit verify failed: {}", e);
-            None
-        }
-    }
-}
+    let (payload_b64, sig_b64) = token.split_once('.')?;
 
-fn try_verify_signature(
-    token: &str,
-    verifying_key: &ed25519_dalek::VerifyingKey,
-) -> Result<DepositPayload> {
-    let (payload_b64, sig_b64) = token
-        .split_once('.')
-        .ok_or_else(|| anyhow::anyhow!("No '.' separator in token"))?;
-
-    let sig_bytes = B64URL.decode(sig_b64)?;
-    let sig = ed25519_dalek::Signature::from_slice(&sig_bytes)
-        .map_err(|e| anyhow::anyhow!("Bad signature bytes: {e}"))?;
+    // Stack-allocated signature decode (zero heap allocation)
+    let mut sig_buf = [0u8; 64];
+    let sig_decoded = Base64UrlUnpadded::decode(sig_b64, &mut sig_buf).ok()?;
+    if sig_decoded.len() != 64 {
+        return None;
+    }
+    let sig = ed25519_dalek::Signature::from_bytes(&sig_buf);
 
-    use ed25519_dalek::Verifier;
     verifying_key
-        .verify(payload_b64.as_bytes(), &sig)
-        .map_err(|e| anyhow::anyhow!("Signature invalid: {e}"))?;
+        .verify_strict(payload_b64.as_bytes(), &sig)
+        .ok()?;
 
-    let payload_json = B64URL.decode(payload_b64)?;
-    let payload: DepositPayload = serde_json::from_slice(&payload_json)?;
+    // Stack-allocated payload decode (zero heap allocation).
+    // DepositPayload JSON is well under 768 bytes (label≤256 + nonce=32 + overhead).
+    let mut payload_buf = [0u8; 1024];
+    let payload_bytes = Base64UrlUnpadded::decode(payload_b64, &mut payload_buf).ok()?;
+    let payload: DepositPayload = serde_json::from_slice(payload_bytes).ok()?;
 
-    let now = chrono::Utc::now().timestamp();
+    let now = crate::config::epoch_secs() as i64;
     if payload.expires_at <= now {
-        anyhow::bail!("Token expired (expires_at={}, now={})", payload.expires_at, now);
+        return None;
     }
 
-    Ok(payload)
+    Some(payload)
 }
 
 /// Claim the nonce using a provided connection reference.
@@ -88,9 +80,10 @@ pub fn claim_nonce_with_conn(
     payload: &DepositPayload,
     conn: &rusqlite::Connection,
 ) -> Result<()> {
-    let now = chrono::Utc::now().timestamp();
-    let inserted = conn.execute(
+    let now = crate::config::epoch_secs() as i64;
+    let inserted = conn.prepare_cached(
         "INSERT OR IGNORE INTO used_deposits (nonce, label, used_at) VALUES (?1, ?2, ?3)",
+    )?.execute(
         rusqlite::params![payload.nonce, payload.label, now],
     )?;
 
@@ -108,9 +101,10 @@ pub fn log_deposit(
     source_ip: &str,
     user_agent: &str,
 ) -> Result<()> {
-    let now = chrono::Utc::now().timestamp();
-    conn.execute(
+    let now = crate::config::epoch_secs() as i64;
+    conn.prepare_cached(
         "INSERT INTO deposit_log (label, source_ip, user_agent, deposited_at) VALUES (?1, ?2, ?3, ?4)",
+    )?.execute(
         rusqlite::params![label, source_ip, user_agent, now],
     )?;
     Ok(())
@@ -138,9 +132,7 @@ pub fn list_deposits(label_filter: Option<&str>) -> Result<()> {
         let ip: String = row.get(1)?;
         let ua: String = row.get(2)?;
         let ts: i64 = row.get(3)?;
-        let time = chrono::DateTime::from_timestamp(ts, 0)
-            .map(|dt| dt.to_rfc3339())
-            .unwrap_or_else(|| ts.to_string());
+        let time = crate::config::format_rfc3339(ts);
         println!("{time}  {label}");
         println!("  IP:         {ip}");
         if !ua.is_empty() {
@@ -160,34 +152,7 @@ fn generate_nonce() -> String {
     use rand::RngCore;
     let mut bytes = [0u8; 16];
     rand::rngs::OsRng.fill_bytes(&mut bytes);
-    hex::encode(bytes)
-}
-
-// Accepts "10m", "1h", "30s".
-pub fn parse_duration(s: &str) -> anyhow::Result<Duration> {
-    let s = s.trim();
-    if s.is_empty() {
-        anyhow::bail!("Empty duration string");
-    }
-
-    let (num_str, multiplier) = if let Some(n) = s.strip_suffix('m') {
-        (n, 60)
-    } else if let Some(n) = s.strip_suffix('h') {
-        (n, 3600)
-    } else if let Some(n) = s.strip_suffix('s') {
-        (n, 1)
-    } else {
-        anyhow::bail!("Duration must end with 's' (seconds), 'm' (minutes), or 'h' (hours)");
-    };
-
-    let num: u64 = num_str
-        .parse()
-        .map_err(|_| anyhow::anyhow!("Invalid number in duration: '{num_str}'"))?;
-
-    Ok(Duration::from_secs(
-        num.checked_mul(multiplier)
-            .ok_or_else(|| anyhow::anyhow!("Duration too large"))?,
-    ))
+    Base64UrlUnpadded::encode_string(&bytes)
 }
 
 #[cfg(test)]
@@ -195,20 +160,6 @@ mod tests {
     use super::*;
     use crate::crypto::signing as s;
 
-    #[test]
-    fn parse_duration_values() {
-        assert_eq!(parse_duration("10m").unwrap(), Duration::from_secs(600));
-        assert_eq!(parse_duration("1h").unwrap(), Duration::from_secs(3600));
-        assert_eq!(parse_duration("30s").unwrap(), Duration::from_secs(30));
-    }
-
-    #[test]
-    fn parse_duration_rejects_garbage() {
-        assert!(parse_duration("").is_err());
-        assert!(parse_duration("10x").is_err());
-        assert!(parse_duration("abc").is_err());
-    }
-
     #[test]
     fn signed_token_roundtrip() {
         let (sk, _vk) = s::generate_keypair();
@@ -219,7 +170,7 @@ mod tests {
 
         // Decode the payload part to verify contents
         let (payload_b64, _) = token.split_once('.').unwrap();
-        let payload_json = B64URL.decode(payload_b64).unwrap();
+        let payload_json = Base64UrlUnpadded::decode_vec(payload_b64).unwrap();
         let payload: DepositPayload = serde_json::from_slice(&payload_json).unwrap();
         assert_eq!(payload.label, "test_key");
         assert!(!payload.nonce.is_empty());
@@ -278,26 +229,14 @@ mod tests {
         let (sk, _) = s::generate_keypair();
         let token = create_signed_token("key", Duration::from_secs(48 * 3600), &sk).unwrap();
         let (payload_b64, _) = token.split_once('.').unwrap();
-        let payload_json = B64URL.decode(payload_b64).unwrap();
+        let payload_json = Base64UrlUnpadded::decode_vec(payload_b64).unwrap();
         let payload: DepositPayload = serde_json::from_slice(&payload_json).unwrap();
-        let now = chrono::Utc::now().timestamp();
+        let now = crate::config::epoch_secs() as i64;
         // Should be capped at ~24h, not 48h
         assert!(payload.expires_at <= now + 24 * 3600 + 5);
         assert!(payload.expires_at > now + 23 * 3600); // but at least ~23h
     }
 
-    #[test]
-    fn parse_duration_zero_values() {
-        assert_eq!(parse_duration("0s").unwrap(), Duration::from_secs(0));
-        assert_eq!(parse_duration("0m").unwrap(), Duration::from_secs(0));
-        assert_eq!(parse_duration("0h").unwrap(), Duration::from_secs(0));
-    }
-
-    #[test]
-    fn parse_duration_trims_whitespace() {
-        assert_eq!(parse_duration("  10m  ").unwrap(), Duration::from_secs(600));
-    }
-
     fn test_db() -> rusqlite::Connection {
         let conn = rusqlite::Connection::open_in_memory().unwrap();
         conn.execute_batch(
@@ -312,7 +251,7 @@ mod tests {
         let payload = DepositPayload {
             label: "test".into(),
             nonce: "unique_nonce_123".into(),
-            expires_at: chrono::Utc::now().timestamp() + 300,
+            expires_at: crate::config::epoch_secs() as i64 + 300,
         };
         assert!(claim_nonce_with_conn(&payload, &conn).is_ok());
     }
@@ -323,7 +262,7 @@ mod tests {
         let payload = DepositPayload {
             label: "test".into(),
             nonce: "replay_nonce".into(),
-            expires_at: chrono::Utc::now().timestamp() + 300,
+            expires_at: crate::config::epoch_secs() as i64 + 300,
         };
         claim_nonce_with_conn(&payload, &conn).unwrap();
         let err = claim_nonce_with_conn(&payload, &conn).unwrap_err();
diff --git a/src/init.rs b/src/init.rs
index 2454f49..494a0da 100644
--- a/src/init.rs
+++ b/src/init.rs
@@ -42,6 +42,10 @@ pub fn run(
         (None, Some(_)) => bail!("--tls-key requires --tls-cert"),
         _ => {}
     }
+    // Require explicit TLS config: either BYO certs or --no-tls
+    if !no_tls && tls_cert.is_none() {
+        bail!("TLS requires --tls-cert and --tls-key. Use --no-tls for plain HTTP (e.g., behind a reverse proxy).");
+    }
     if let Some(ref cert_path) = tls_cert {
         if !std::path::Path::new(cert_path).exists() {
             bail!("TLS certificate file not found: {cert_path}");
diff --git a/src/magic_link.rs b/src/magic_link.rs
deleted file mode 100644
index 4a13603..0000000
--- a/src/magic_link.rs
+++ /dev/null
@@ -1,157 +0,0 @@
-use anyhow::Result;
-use sha2::{Digest, Sha256};
-
-use crate::config;
-use crate::db;
-use crate::deposit::parse_duration;
-
-fn hash_code(code: &str) -> String {
-    let hash = Sha256::digest(code.as_bytes());
-    hex::encode(hash)
-}
-
-pub fn host(code: &str, expires: &str) -> Result<()> {
-    if code.len() < 20 {
-        anyhow::bail!("Code must be at least 20 characters (got {}). Use a longer code to prevent brute-force.", code.len());
-    }
-    let duration = parse_duration(expires)?;
-    let max_secs: u64 = 3600; // 1 hour max for magic links
-    let capped_secs = duration.as_secs().min(max_secs);
-    let expires_at = chrono::Utc::now().timestamp()
-        + i64::try_from(capped_secs).map_err(|_| anyhow::anyhow!("Duration too large"))?;
-
-    let code_hash = hash_code(code);
-    let hint = &code[..2.min(code.len())];
-
-    let conn = db::open()?;
-    conn.execute(
-        "INSERT OR REPLACE INTO magic_links (code_hash, hint, expires_at) VALUES (?1, ?2, ?3)",
-        rusqlite::params![code_hash, hint, expires_at],
-    )?;
-
-    let creds = crate::credentials::Credentials::load(&config::credentials_path()?)?;
-    let url = format!("{}/m/{}", creds.base_url(), code);
-
-    println!("{url}");
-    println!("Expires in {expires}. Service can verify at that URL.");
-    Ok(())
-}
-
-pub fn list() -> Result<()> {
-    let conn = db::open()?;
-    let now = chrono::Utc::now().timestamp();
-
-    // clean expired
-    conn.execute("DELETE FROM magic_links WHERE expires_at <= ?1", [now])?;
-
-    let mut stmt = conn.prepare("SELECT hint, expires_at FROM magic_links ORDER BY expires_at")?;
-    let rows = stmt.query_map([], |row| {
-        Ok((row.get::<_, String>(0)?, row.get::<_, i64>(1)?))
-    })?;
-
-    let mut found = false;
-    for row in rows {
-        let (hint, expires_at) = row?;
-        let remaining = expires_at - now;
-        let mins = remaining / 60;
-        let secs = remaining % 60;
-        println!("{hint}****  (expires in {mins}m {secs}s)");
-        found = true;
-    }
-
-    if !found {
-        println!("No active magic links.");
-    }
-    Ok(())
-}
-
-/// Called by the server to check and consume a code. One-time use.
-/// The code is hashed before lookup, so DB comparison timing is irrelevant.
-pub fn claim_with_conn(code: &str, conn: &rusqlite::Connection) -> Option<String> {
-    let now = chrono::Utc::now().timestamp();
-    let code_hash = hash_code(code);
-
-    let deleted = conn
-        .execute(
-            "DELETE FROM magic_links WHERE code_hash = ?1 AND expires_at > ?2",
-            rusqlite::params![code_hash, now],
-        )
-        .ok()?;
-
-    if deleted > 0 {
-        Some(code.to_string())
-    } else {
-        None
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn test_db() -> rusqlite::Connection {
-        let conn = rusqlite::Connection::open_in_memory().unwrap();
-        conn.execute_batch(
-            "CREATE TABLE magic_links (code_hash TEXT PRIMARY KEY, hint TEXT NOT NULL DEFAULT '', expires_at INTEGER NOT NULL);"
-        ).unwrap();
-        conn
-    }
-
-    fn insert_code(conn: &rusqlite::Connection, code: &str, expires_at: i64) {
-        let code_hash = hash_code(code);
-        let hint = &code[..2.min(code.len())];
-        conn.execute(
-            "INSERT INTO magic_links (code_hash, hint, expires_at) VALUES (?1, ?2, ?3)",
-            rusqlite::params![code_hash, hint, expires_at],
-        ).unwrap();
-    }
-
-    #[test]
-    fn claim_valid_code() {
-        let conn = test_db();
-        let future = chrono::Utc::now().timestamp() + 300;
-        insert_code(&conn, "abc12345", future);
-        assert_eq!(claim_with_conn("abc12345", &conn), Some("abc12345".to_string()));
-    }
-
-    #[test]
-    fn claim_expired_code() {
-        let conn = test_db();
-        let past = chrono::Utc::now().timestamp() - 10;
-        insert_code(&conn, "expired!", past);
-        assert!(claim_with_conn("expired!", &conn).is_none());
-    }
-
-    #[test]
-    fn claim_nonexistent_code() {
-        let conn = test_db();
-        assert!(claim_with_conn("nope1234", &conn).is_none());
-    }
-
-    #[test]
-    fn claim_one_time_use() {
-        let conn = test_db();
-        let future = chrono::Utc::now().timestamp() + 300;
-        insert_code(&conn, "onceonly", future);
-        assert!(claim_with_conn("onceonly", &conn).is_some());
-        assert!(claim_with_conn("onceonly", &conn).is_none());
-    }
-
-    #[test]
-    fn hash_code_is_deterministic() {
-        assert_eq!(hash_code("test1234"), hash_code("test1234"));
-    }
-
-    #[test]
-    fn hash_code_differs_for_different_inputs() {
-        assert_ne!(hash_code("test1234"), hash_code("test5678"));
-    }
-
-    #[test]
-    fn wrong_code_does_not_match() {
-        let conn = test_db();
-        let future = chrono::Utc::now().timestamp() + 300;
-        insert_code(&conn, "correct!", future);
-        assert!(claim_with_conn("wrongone", &conn).is_none());
-    }
-}
diff --git a/src/main.rs b/src/main.rs
index b18e5e7..42de016 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -6,17 +6,20 @@ mod crypto;
 mod db;
 mod deposit;
 mod init;
-mod magic_link;
 mod server;
 mod sign;
 mod tls;
 mod vault;
 
+#[cfg(feature = "jemalloc")]
+#[global_allocator]
+static GLOBAL: tikv_jemallocator::Jemalloc = tikv_jemallocator::Jemalloc;
+
 use anyhow::{Context, Result};
 use clap::Parser;
 use tracing_subscriber::EnvFilter;
 
-use cli::{Cli, Command, KeyCommand, MagicLinkCommand, ServiceCommand, VaultCommand};
+use cli::{Cli, Command, VaultCommand};
 
 #[tokio::main]
 async fn main() -> Result<()> {
@@ -24,6 +27,21 @@ async fn main() -> Result<()> {
         .with_env_filter(EnvFilter::from_default_env().add_directive("atomic=info".parse()?))
         .init();
 
+    // Enable jemalloc background thread for aggressive memory purging.
+    // Ensures freed allocations (including zeroed key material) are returned
+    // to the OS promptly instead of lingering in allocator caches.
+    #[cfg(feature = "jemalloc")]
+    {
+        if let Err(e) = tikv_jemalloc_ctl::background_thread::write(true) {
+            tracing::warn!("Failed to enable jemalloc background thread: {e}");
+        }
+    }
+
+    // Panic hook removed: file I/O in panic handlers is async-signal-unsafe
+    // (deadlock risk if panic occurred during malloc or file operation).
+    // The kernel automatically releases flock on the PID file when the process exits.
+    // Temp files from write_secure are cleaned on next startup or OS reboot.
+
     let cli = Cli::parse();
 
     match cli.command {
@@ -46,45 +64,48 @@ async fn main() -> Result<()> {
         }
 
         Command::Stop => {
+            use fs2::FileExt;
+
             let pid_path = config::pid_path()?;
             if !pid_path.exists() {
                 anyhow::bail!("No running server found (no PID file)");
             }
-            let pid_str = std::fs::read_to_string(&pid_path)?;
-            let pid: i32 = pid_str.trim().parse().context("Invalid PID file")?;
-            if pid <= 0 {
-                let _ = std::fs::remove_file(&pid_path);
-                anyhow::bail!("Invalid PID {pid} in PID file (removed)");
-            }
 
-            // Verify the PID belongs to an atomic process before killing
-            let ps_output = std::process::Command::new("ps")
-                .args(["-p", &pid.to_string(), "-o", "comm="])
-                .output();
-            if let Ok(output) = ps_output {
-                let comm = String::from_utf8_lossy(&output.stdout);
-                let comm = comm.trim();
-                if !comm.is_empty() && !comm.contains("atomic") {
+            // Use flock to atomically determine if the server process is alive.
+            // The running server holds an exclusive flock on the PID file.
+            // This eliminates the TOCTOU race window from ps/kill -0 checks.
+            let pid_file = std::fs::OpenOptions::new()
+                .read(true)
+                .write(true)
+                .open(&pid_path)
+                .context("Failed to open PID file")?;
+
+            match pid_file.try_lock_exclusive() {
+                Ok(()) => {
+                    // We got the lock — the server process is dead (kernel released its lock).
+                    drop(pid_file);
                     let _ = std::fs::remove_file(&pid_path);
-                    anyhow::bail!(
-                        "PID {pid} belongs to '{comm}', not atomic (stale PID file removed)"
-                    );
+                    println!("Cleaned up stale PID file (server was not running)");
+                }
+                Err(_) => {
+                    // Lock held by live server process — read PID and send SIGTERM.
+                    let pid_str = std::fs::read_to_string(&pid_path)?;
+                    let pid: i32 = pid_str.trim().parse().context("Invalid PID file")?;
+                    if pid <= 0 {
+                        anyhow::bail!("Invalid PID {pid} in PID file");
+                    }
+
+                    let status = std::process::Command::new("kill")
+                        .arg(pid.to_string())
+                        .status()
+                        .context("Failed to send SIGTERM")?;
+
+                    if status.success() {
+                        println!("Server stopped (PID {pid})");
+                    } else {
+                        println!("Failed to stop server (PID {pid})");
+                    }
                 }
-            }
-
-            // Send SIGTERM
-            let status = std::process::Command::new("kill")
-                .arg(pid.to_string())
-                .status()
-                .context("Failed to send stop signal")?;
-
-            if status.success() {
-                let _ = std::fs::remove_file(&pid_path);
-                println!("Server stopped (PID {pid})");
-            } else {
-                // Process might already be gone
-                let _ = std::fs::remove_file(&pid_path);
-                println!("Server process {pid} not found (cleaned up stale PID file)");
             }
         }
 
@@ -135,7 +156,7 @@ async fn main() -> Result<()> {
             let creds_path = config::credentials_path()?;
             let creds = credentials::Credentials::load(&creds_path)?;
             let signing_key = creds.signing_key()?;
-            let duration = deposit::parse_duration(&expires)?;
+            let duration = std::time::Duration::from_secs(expires);
             let token = deposit::create_signed_token(&label, duration, &signing_key)?;
             let url = format!("{}/d/{}", creds.base_url(), token);
             println!("{url}");
@@ -172,31 +193,9 @@ async fn main() -> Result<()> {
             }
         }
 
-        Command::MagicLink { command } => match command {
-            MagicLinkCommand::Host { code, expires } => {
-                magic_link::host(&code, &expires)?;
-            }
-            MagicLinkCommand::List => {
-                magic_link::list()?;
-            }
-        },
-
         Command::Sign { dry_run, command } => {
             sign::run(&command, dry_run)?;
         }
-
-        Command::Key { command } => match command {
-            KeyCommand::Rotate => println!("Key rotation not yet implemented (PLO-58)"),
-            KeyCommand::Revoke => println!("Key revocation not yet implemented (PLO-58)"),
-        },
-
-        Command::Service { command } => match command {
-            ServiceCommand::Install => println!("Service install not yet implemented (PLO-59)"),
-            ServiceCommand::Uninstall => {
-                println!("Service uninstall not yet implemented (PLO-59)")
-            }
-            ServiceCommand::Status => println!("Service status not yet implemented (PLO-59)"),
-        },
     }
 
     Ok(())
diff --git a/src/server.rs b/src/server.rs
index 71d5e08..b7539f8 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -8,31 +8,67 @@ use axum::{
     Router,
 };
 use serde::Serialize;
-use std::collections::HashMap;
 use std::net::{IpAddr, SocketAddr};
-use std::sync::Arc;
+use std::sync::atomic::Ordering;
 use tower_http::cors::{Any, CorsLayer};
 use tracing::info;
 use zeroize::Zeroizing;
 
+use std::sync::OnceLock;
+
 use crate::config;
 use crate::credentials::Credentials;
 use crate::tls::TlsMode;
 
-const RATE_LIMIT_WINDOW_SECS: i64 = 60;
-const RATE_LIMIT_MAX_REQUESTS: u32 = 10;
-const RATE_LIMIT_MAX_ENTRIES: usize = 10_000;
+/// Global AppState — initialized once via OnceLock instead of Box::leak.
+/// Provides &'static access without leaking heap memory.
+static APP_STATE: OnceLock<AppState> = OnceLock::new();
+
+/// Timeout for DB operations in HTTP handlers. Must exceed SQLite busy_timeout (4s)
+/// so that SQLite returns BUSY cleanly before the task gets force-cancelled.
+const DB_TIMEOUT: std::time::Duration = std::time::Duration::from_secs(5);
+
+const MAX_INPUT_LEN: usize = 256;
+
+/// Circuit breaker cool-down: DB operations rejected for this many seconds after last failure.
+const DB_CIRCUIT_COOLDOWN_SECS: u64 = 60;
+
+fn epoch_secs() -> u64 {
+    config::epoch_secs()
+}
+
+/// Const lookup table for printable ASCII validation.
+/// No branches per byte, cache-friendly, auto-vectorizes on x86_64.
+const ASCII_OK: [bool; 256] = {
+    let mut table = [false; 256];
+    let mut i: usize = 32; // space
+    while i <= 126 {
+        table[i] = true;
+        i += 1;
+    }
+    table
+};
+
+/// Reject inputs with non-printable or non-ASCII characters.
+fn is_valid_input(s: &str) -> bool {
+    !s.is_empty()
+        && s.len() <= MAX_INPUT_LEN
+        && s.bytes().all(|b| ASCII_OK[b as usize])
+}
 
 pub struct AppState {
     pub agent_json_cached: bytes::Bytes,
     pub verifying_key: ed25519_dalek::VerifyingKey,
     /// Zeroized on drop. Derived from the private key via HKDF.
     vault_key: Zeroizing<[u8; 32]>,
-    /// Only lock inside `spawn_blocking` — never hold across an `.await`.
-    pub db: std::sync::Mutex<rusqlite::Connection>,
+    /// Connection pool — use `db_pool.get()` inside `spawn_blocking`.
+    pub db_pool: crate::db::DbPool,
     pub tls_active: bool,
     pub behind_proxy: bool,
-    rate_limiter: std::sync::Mutex<HashMap<IpAddr, (u32, i64)>>,
+    /// In-flight request counter for graceful shutdown drain.
+    in_flight: std::sync::atomic::AtomicUsize,
+    /// Circuit breaker: epoch second of last DB failure. Circuit open if within cooldown.
+    last_db_failure: std::sync::atomic::AtomicU64,
 }
 
 impl AppState {
@@ -40,25 +76,24 @@ impl AppState {
         &self.vault_key
     }
 
-    /// Returns true if the request is within rate limits.
-    pub fn check_rate_limit(&self, ip: IpAddr) -> bool {
-        let now = chrono::Utc::now().timestamp();
-        let mut map = self.rate_limiter.lock().unwrap_or_else(|e| e.into_inner());
-        // Evict stale entries when the map grows too large to prevent memory exhaustion
-        if map.len() >= RATE_LIMIT_MAX_ENTRIES {
-            map.retain(|_, (_, window_start)| now - *window_start <= RATE_LIMIT_WINDOW_SECS);
-        }
-        let entry = map.entry(ip).or_insert((0, now));
-        if now - entry.1 > RATE_LIMIT_WINDOW_SECS {
-            *entry = (1, now);
-            true
-        } else if entry.0 >= RATE_LIMIT_MAX_REQUESTS {
-            false
-        } else {
-            entry.0 += 1;
-            true
+    /// Record a DB failure timestamp. The first request after the cooldown naturally tests the DB.
+    fn record_db_failure(&self) {
+        self.last_db_failure.store(epoch_secs(), Ordering::Relaxed);
+    }
+
+    /// Record a successful DB operation. Clears the circuit breaker.
+    fn record_db_success(&self) {
+        if self.last_db_failure.load(Ordering::Relaxed) != 0 {
+            self.last_db_failure.store(0, Ordering::Relaxed);
         }
     }
+
+    /// Circuit is open if last failure was within the cooldown window.
+    /// No half-open probe needed: the first request after cooldown naturally tests the DB.
+    fn is_db_circuit_open(&self) -> bool {
+        let last = self.last_db_failure.load(Ordering::Relaxed);
+        last != 0 && epoch_secs().saturating_sub(last) < DB_CIRCUIT_COOLDOWN_SECS
+    }
 }
 
 #[derive(Serialize)]
@@ -67,15 +102,28 @@ struct DepositResponse {
     label: String,
 }
 
-#[derive(Serialize)]
-struct MagicLinkResponse {
-    status: &'static str,
-}
-
-/// Max deposit body size: 1 MB
-const MAX_BODY_SIZE: usize = 1024 * 1024;
+/// Max deposit body size: 64 KB — sufficient for secrets, API keys, certs.
+/// Tighter than the original 1MB to limit allocation before input validation.
+const MAX_BODY_SIZE: usize = 64 * 1024;
 
 pub async fn run_server(credentials: Credentials) -> Result<()> {
+    // --- Startup checks ---
+
+    // Warn if log file is getting large (risk of disk-full on vault writes)
+    if let Ok(log_path) = config::log_path() {
+        if let Ok(metadata) = std::fs::metadata(&log_path) {
+            let size_mb = metadata.len() / (1024 * 1024);
+            if size_mb > 100 {
+                tracing::warn!(
+                    "Log file is {size_mb}MB ({}), consider rotating",
+                    log_path.display()
+                );
+            }
+        }
+    }
+
+    // --- State setup ---
+
     let agent_json_path = config::agent_json_path()?;
     let agent_json_cached: bytes::Bytes = std::fs::read_to_string(&agent_json_path)
         .with_context(|| format!("Failed to read agent.json at {}", agent_json_path.display()))?
@@ -83,62 +131,95 @@ pub async fn run_server(credentials: Credentials) -> Result<()> {
 
     let verifying_key = credentials.verifying_key()?;
     let signing_key = credentials.signing_key()?;
-    let mut sk_bytes = Zeroizing::new(signing_key.to_bytes());
+    let sk_bytes = Zeroizing::new(signing_key.to_bytes());
     let vault_key = crate::crypto::vault::derive_vault_key(&sk_bytes)?;
-    sk_bytes.iter_mut().for_each(|b| *b = 0); // belt-and-suspenders
     drop(sk_bytes);
-    let db_conn = crate::db::open()?;
+
+    // Pool size: env override or auto-detect from available parallelism (capped 2..8)
+    let pool_size = std::env::var("ATOMIC_POOL_SIZE")
+        .ok()
+        .and_then(|s| s.parse::<usize>().ok())
+        .filter(|&n| (1..=64).contains(&n))
+        .unwrap_or_else(|| {
+            std::thread::available_parallelism()
+                .map(|n| n.get().clamp(2, 8))
+                .unwrap_or(4)
+        });
+    let db_pool = crate::db::open_pool(pool_size)?;
 
     let addr = SocketAddr::from(([0, 0, 0, 0], credentials.port));
-    let tls_mode = TlsMode::from_credentials(&credentials);
+    let tls_mode = TlsMode::from_credentials(&credentials)?;
 
     let tls_active = !matches!(tls_mode, TlsMode::None);
 
     let behind_proxy = credentials.proxy;
 
-    let state = Arc::new(AppState {
+    APP_STATE.set(AppState {
         agent_json_cached,
         verifying_key,
         vault_key,
-        db: std::sync::Mutex::new(db_conn),
+        db_pool,
         tls_active,
         behind_proxy,
-        rate_limiter: std::sync::Mutex::new(HashMap::with_capacity(256)),
-    });
+        in_flight: std::sync::atomic::AtomicUsize::new(0),
+        last_db_failure: std::sync::atomic::AtomicU64::new(0),
+    }).map_err(|_| anyhow::anyhow!("server already initialized"))?;
+    let state: &'static AppState = APP_STATE.get().unwrap();
 
-    // Background task: clean expired magic links, old deposit nonces, and stale rate limiter entries
-    let db_clone = state.clone();
+    // Background task: hourly cleanup of expired deposit data + PRAGMA optimize.
+    // WAL checkpointing is handled by wal_autocheckpoint=1000 (set in open_connection).
     tokio::spawn(async move {
         loop {
             tokio::time::sleep(std::time::Duration::from_secs(3600)).await;
-            let db_ref = db_clone.clone();
             let _ = tokio::task::spawn_blocking(move || {
-                if let Ok(conn) = db_ref.db.lock() {
-                    let now = chrono::Utc::now().timestamp();
-                    if let Err(e) = conn.execute("DELETE FROM magic_links WHERE expires_at <= ?1", [now]) {
-                        tracing::warn!("Failed to clean expired magic links: {e}");
+                let conn = match state.db_pool.get() {
+                    Ok(c) => c,
+                    Err(e) => {
+                        tracing::warn!("DB cleanup: pool exhausted: {e}");
+                        return;
                     }
-                    let cutoff = now - 7 * 86400;
-                    if let Err(e) = conn.execute("DELETE FROM used_deposits WHERE used_at < ?1", [cutoff]) {
-                        tracing::warn!("Failed to clean old deposit nonces: {e}");
+                };
+                let now = epoch_secs() as i64;
+                let cutoff = now - 7 * 86400;
+                loop {
+                    match conn.execute(
+                        "DELETE FROM used_deposits WHERE nonce IN \
+                         (SELECT nonce FROM used_deposits WHERE used_at < ?1 LIMIT 1000)",
+                        [cutoff],
+                    ) {
+                        Ok(0) => break,
+                        Ok(_) => continue,
+                        Err(e) => { tracing::warn!("Failed to clean old deposit nonces: {e}"); break; }
                     }
                 }
-                // Evict stale rate limiter entries
-                if let Ok(mut map) = db_ref.rate_limiter.lock() {
-                    let now = chrono::Utc::now().timestamp();
-                    map.retain(|_, (_, window_start)| now - *window_start <= RATE_LIMIT_WINDOW_SECS);
+                let log_cutoff = now - 90 * 86400;
+                loop {
+                    match conn.execute(
+                        "DELETE FROM deposit_log WHERE rowid IN \
+                         (SELECT rowid FROM deposit_log WHERE deposited_at < ?1 LIMIT 1000)",
+                        [log_cutoff],
+                    ) {
+                        Ok(0) => break,
+                        Ok(_) => continue,
+                        Err(e) => { tracing::warn!("Failed to clean old deposit log entries: {e}"); break; }
+                    }
                 }
+                // Reclaim pages freed by TTL deletes (auto_vacuum=INCREMENTAL).
+                let _ = conn.execute_batch("PRAGMA incremental_vacuum;");
+                let _ = conn.execute_batch("PRAGMA optimize;");
             }).await;
         }
     });
 
-    // CORS only on the public agent.json endpoint; deposit and magic link
-    // endpoints are called by servers, not browsers, and don't need CORS.
+    // CORS only on the public agent.json endpoint; deposit endpoints
+    // are called by servers, not browsers, and don't need CORS.
     let cors = CorsLayer::new()
         .allow_origin(Any)
         .allow_methods(Any)
         .allow_headers(Any);
 
+    let shutdown_state = state;
+
     let public_routes = Router::new()
         .route("/.well-known/agent.json", get(serve_agent_json))
         .layer(cors);
@@ -147,17 +228,23 @@ pub async fn run_server(credentials: Credentials) -> Result<()> {
         .route("/", get(root_redirect))
         .merge(public_routes)
         .route("/d/{token}", post(handle_deposit))
-        .route("/m/{code}", get(handle_magic_link))
+        .route("/_/health", get(handle_health))
         .fallback(handle_404)
+        .layer(middleware::from_fn_with_state(
+            state,
+            track_in_flight,
+        ))
+        .layer(middleware::from_fn(request_timeout))
         .layer(DefaultBodyLimit::max(MAX_BODY_SIZE))
         .layer(middleware::from_fn_with_state(
-            state.clone(),
+            state,
             security_headers,
         ))
         .with_state(state);
 
     let pid_path = config::pid_path()?;
-    config::write_secure(&pid_path, std::process::id().to_string().as_bytes())?;
+    // Acquire flock — prevents double-start races. Lock released on process exit (even crash).
+    let _pid_lock = config::acquire_pid_lock(&pid_path)?;
 
     match tls_mode {
         TlsMode::None => {
@@ -173,20 +260,15 @@ pub async fn run_server(credentials: Credentials) -> Result<()> {
                 .await
                 .context("Server error")?;
         }
-        TlsMode::Auto { .. } | TlsMode::Custom { .. } => {
-            let is_auto = matches!(tls_mode, TlsMode::Auto { .. });
+        TlsMode::Custom { .. } => {
             let rustls_config = crate::tls::resolve_rustls_config(&tls_mode).await?;
-            if is_auto {
-                crate::tls::spawn_renewal_watcher(rustls_config.clone());
-            }
             let handle = axum_server::Handle::new();
             let shutdown_handle = handle.clone();
             tokio::spawn(async move {
                 shutdown_signal().await;
-                shutdown_handle.graceful_shutdown(Some(std::time::Duration::from_secs(10)));
+                shutdown_handle.graceful_shutdown(Some(std::time::Duration::from_secs(30)));
             });
-            let mode_label = if is_auto { "acme.sh" } else { "custom cert" };
-            info!("Listening on {} (HTTPS/{}, PID {})", addr, mode_label, std::process::id());
+            info!("Listening on {} (HTTPS, PID {})", addr, std::process::id());
             axum_server::bind_rustls(addr, rustls_config)
                 .handle(handle)
                 .serve(app.into_make_service_with_connect_info::<SocketAddr>())
@@ -195,6 +277,51 @@ pub async fn run_server(credentials: Credentials) -> Result<()> {
         }
     }
 
+    // Drain phase: wait for in-flight requests to complete before checkpointing WAL.
+    // The graceful shutdown above stops new connections; this ensures handlers finish.
+    {
+        let drain_start = std::time::Instant::now();
+        let drain_timeout = std::time::Duration::from_secs(30);
+        loop {
+            let remaining = shutdown_state.in_flight.load(Ordering::SeqCst);
+            if remaining == 0 {
+                break;
+            }
+            if drain_start.elapsed() > drain_timeout {
+                tracing::warn!("Drain timeout: {remaining} requests still in-flight");
+                break;
+            }
+            tokio::time::sleep(std::time::Duration::from_millis(100)).await;
+        }
+    }
+
+    // Signal pool to reject new acquisitions and wake any threads waiting on Condvar.
+    shutdown_state.db_pool.shutdown();
+
+    // Final WAL checkpoint after all handlers have drained.
+    // Timeout prevents indefinite hang if the DB is stuck.
+    let checkpoint_result = tokio::time::timeout(
+        std::time::Duration::from_secs(5),
+        tokio::task::spawn_blocking(move || {
+            match shutdown_state.db_pool.get() {
+                Ok(conn) => {
+                    // RESTART checkpoints and resets the WAL header without truncating.
+                    // Safer than TRUNCATE which can block indefinitely if readers exist.
+                    if let Err(e) = conn.execute_batch("PRAGMA wal_checkpoint(RESTART);") {
+                        tracing::warn!("Final WAL RESTART checkpoint failed: {e}, falling back to PASSIVE");
+                        if let Err(e2) = conn.execute_batch("PRAGMA wal_checkpoint(PASSIVE);") {
+                            tracing::warn!("Final WAL PASSIVE checkpoint also failed: {e2}");
+                        }
+                    }
+                }
+                Err(e) => tracing::warn!("Final WAL checkpoint skipped: {e}"),
+            }
+        })
+    ).await;
+    if checkpoint_result.is_err() {
+        tracing::error!("Final WAL checkpoint timed out (5s) — data is consistent but may remain in WAL file");
+    }
+
     let _ = std::fs::remove_file(&pid_path);
     info!("Server stopped");
     Ok(())
@@ -204,7 +331,7 @@ async fn root_redirect() -> Redirect {
     Redirect::temporary("/.well-known/agent.json")
 }
 
-async fn serve_agent_json(State(state): State<Arc<AppState>>) -> Response {
+async fn serve_agent_json(State(state): State<&'static AppState>) -> Response {
     (
         StatusCode::OK,
         [(header::CONTENT_TYPE, "application/json")],
@@ -215,7 +342,7 @@ async fn serve_agent_json(State(state): State<Arc<AppState>>) -> Response {
 
 // Verify the signed token, store the POST body in the vault under the encoded label.
 async fn handle_deposit(
-    State(state): State<Arc<AppState>>,
+    State(state): State<&'static AppState>,
     ConnectInfo(addr): ConnectInfo<SocketAddr>,
     headers: HeaderMap,
     Path(token): Path<String>,
@@ -229,19 +356,41 @@ async fn handle_deposit(
         None => return StatusCode::NOT_FOUND.into_response(),
     };
 
-    if body.is_empty() {
+    // Reject empty body or labels with non-printable/overlong content
+    if body.is_empty() || !is_valid_input(&payload.label) {
         return StatusCode::NOT_FOUND.into_response();
     }
 
-    // Only trust X-Forwarded-For when running behind a known reverse proxy
+    // Circuit breaker: reject immediately if DB is known-broken (disk full, corrupt, etc.)
+    // Returns uniform 404 to prevent information leakage about internal state.
+    if state.is_db_circuit_open() {
+        return StatusCode::NOT_FOUND.into_response();
+    }
+
+    // Only trust X-Forwarded-For when running behind a known reverse proxy.
+    // Parse the rightmost entry as IpAddr to reject spoofed non-IP values.
     let source_ip = if state.behind_proxy {
         headers
             .get("x-forwarded-for")
             .and_then(|v| v.to_str().ok())
-            .and_then(|v| v.rsplit(',').next())
-            .map(|s| s.trim().to_string())
-            .unwrap_or_else(|| addr.ip().to_string())
+            .and_then(|v| {
+                v.rsplit(',')
+                    .next()
+                    .and_then(|s| s.trim().parse::<IpAddr>().ok())
+            })
+            .unwrap_or_else(|| addr.ip())
+            .to_string()
     } else {
+        // Warn once if XFF header is present without proxy mode — likely misconfiguration
+        if headers.contains_key("x-forwarded-for") {
+            tracing::warn_span!("deposit").in_scope(|| {
+                tracing::warn!(
+                    "X-Forwarded-For header present but behind_proxy=false; \
+                     ignoring header and using direct IP. \
+                     If behind a reverse proxy, re-init with --proxy."
+                );
+            });
+        }
         addr.ip().to_string()
     };
     let user_agent = headers
@@ -250,84 +399,96 @@ async fn handle_deposit(
         .unwrap_or("")
         .to_string();
 
-    // DB operations in spawn_blocking.
-    // Access vault_key via the Arc<AppState> reference inside the closure
+    // DB operations in spawn_blocking with timeout to prevent unbounded task accumulation.
+    // Access vault_key via the &'static AppState reference inside the closure
     // to avoid copying the key out of its Zeroizing wrapper.
-    let state_clone = state.clone();
     let body_clone = body;
-    let deposit_result = tokio::task::spawn_blocking(move || {
-        let conn = state_clone.db.lock()
-            .map_err(|e| anyhow::anyhow!("DB mutex poisoned: {e}"))?;
-        crate::deposit::claim_nonce_with_conn(&payload, &conn)?;
-        crate::vault::vault_set_with_conn(&conn, &payload.label, &body_clone, state_clone.vault_key())?;
-        crate::deposit::log_deposit(&conn, &payload.label, &source_ip, &user_agent)?;
-        Ok::<_, anyhow::Error>(payload.label)
-    }).await;
+    let deposit_result = tokio::time::timeout(
+        DB_TIMEOUT,
+        tokio::task::spawn_blocking(move || {
+            let conn = state.db_pool.get()?;
+            crate::deposit::claim_nonce_with_conn(&payload, &conn)?;
+            crate::vault::vault_set_with_conn(&conn, &payload.label, &body_clone, state.vault_key())?;
+            crate::deposit::log_deposit(&conn, &payload.label, &source_ip, &user_agent)?;
+            Ok::<_, anyhow::Error>(payload.label)
+        })
+    ).await;
 
     match deposit_result {
-        Ok(Ok(label)) => {
+        Err(_elapsed) => {
+            tracing::error!("Deposit handler timed out");
+            state.record_db_failure();
+            StatusCode::NOT_FOUND.into_response()
+        }
+        Ok(Ok(Ok(label))) => {
+            state.record_db_success();
             info!("Deposit received: '{label}'");
             let resp = DepositResponse { status: "deposited", label };
             match serde_json::to_string(&resp) {
                 Ok(json) => (StatusCode::OK, [(header::CONTENT_TYPE, "application/json")], json).into_response(),
-                Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+                Err(_) => StatusCode::NOT_FOUND.into_response(),
             }
         }
-        Ok(Err(e)) => {
-            let err_msg = format!("{e}");
-            if err_msg.contains("replay") || err_msg.contains("Nonce already used") {
-                return StatusCode::NOT_FOUND.into_response();
+        Ok(Ok(Err(e))) => {
+            let msg = e.to_string();
+            if msg.contains("Nonce already used") {
+                tracing::debug!("Deposit replay rejected");
+            } else {
+                tracing::error!("Deposit failed: {e}");
+                state.record_db_failure();
             }
-            tracing::error!("Deposit failed: {}", e);
-            StatusCode::INTERNAL_SERVER_ERROR.into_response()
+            StatusCode::NOT_FOUND.into_response()
         }
-        Err(e) => {
-            tracing::error!("Deposit task panicked: {}", e);
-            StatusCode::INTERNAL_SERVER_ERROR.into_response()
+        Ok(Err(e)) => {
+            tracing::error!("Deposit task panicked: {e}");
+            state.record_db_failure();
+            StatusCode::NOT_FOUND.into_response()
         }
     }
 }
 
-async fn handle_magic_link(
-    State(state): State<Arc<AppState>>,
-    ConnectInfo(addr): ConnectInfo<SocketAddr>,
-    Path(code): Path<String>,
-) -> Response {
-    // Per-IP rate limiting to prevent brute-force of magic link codes
-    if !state.check_rate_limit(addr.ip()) {
-        return StatusCode::TOO_MANY_REQUESTS.into_response();
-    }
-
-    // Reject obviously short codes before touching the DB (host() enforces >= 20 chars)
-    if code.len() < 20 {
-        return StatusCode::NOT_FOUND.into_response();
-    }
-
-    let state_clone = state.clone();
-    let code_clone = code;
-    let result = tokio::task::spawn_blocking(move || {
-        let conn = state_clone.db.lock()
-            .map_err(|e| anyhow::anyhow!("DB mutex poisoned: {e}"))?;
-        Ok::<_, anyhow::Error>(crate::magic_link::claim_with_conn(&code_clone, &conn))
-    }).await;
-
-    match result {
-        Ok(Ok(Some(_))) => {
-            let resp = MagicLinkResponse { status: "verified" };
-            match serde_json::to_string(&resp) {
-                Ok(json) => (StatusCode::OK, [(header::CONTENT_TYPE, "application/json")], json).into_response(),
-                Err(_) => StatusCode::INTERNAL_SERVER_ERROR.into_response(),
+async fn handle_health(State(state): State<&'static AppState>) -> Response {
+    // Check DB is responsive (with timeout)
+    let db_ok = tokio::time::timeout(
+        std::time::Duration::from_secs(3),
+        tokio::task::spawn_blocking({
+            move || match state.db_pool.get() {
+                Ok(conn) => conn.execute_batch("SELECT 1").is_ok(),
+                Err(_) => false,
             }
-        }
-        Ok(Ok(None)) => StatusCode::NOT_FOUND.into_response(),
-        Ok(Err(e)) => {
-            tracing::error!("Magic link DB error: {e}");
-            StatusCode::INTERNAL_SERVER_ERROR.into_response()
-        }
-        Err(e) => {
-            tracing::error!("Magic link task panicked: {e}");
-            StatusCode::INTERNAL_SERVER_ERROR.into_response()
-        }
+        })
+    )
+    .await
+    .ok()
+    .and_then(|r| r.ok())
+    .unwrap_or(false);
+
+    // Check agent.json is valid JSON
+    let agent_ok = serde_json::from_slice::<serde_json::Value>(&state.agent_json_cached).is_ok();
+
+    // Check WAL size is under control (< 50MB)
+    let wal_ok = crate::config::atomic_dir()
+        .map(|d| d.join("atomic.db-wal"))
+        .ok()
+        .and_then(|p| std::fs::metadata(&p).ok())
+        .map(|m| m.len() < 50 * 1024 * 1024)
+        .unwrap_or(true); // WAL not existing is fine
+
+    // Check disk space (>100MB free) to prevent SQLite "disk full" corruption
+    let disk_ok = crate::config::atomic_dir()
+        .ok()
+        .and_then(|d| fs2::available_space(&d).ok())
+        .map(|avail| avail > 100 * 1024 * 1024)
+        .unwrap_or(true); // If we can't check, assume ok
+
+    if db_ok && agent_ok && wal_ok && disk_ok {
+        (StatusCode::OK, [(header::CONTENT_TYPE, "application/json")], r#"{"status":"ok"}"#).into_response()
+    } else {
+        let detail = format!(
+            r#"{{"status":"degraded","db":{},"agent_json":{},"wal_size_ok":{},"disk_space_ok":{}}}"#,
+            db_ok, agent_ok, wal_ok, disk_ok
+        );
+        (StatusCode::SERVICE_UNAVAILABLE, [(header::CONTENT_TYPE, "application/json")], detail).into_response()
     }
 }
 
@@ -335,8 +496,31 @@ async fn handle_404() -> StatusCode {
     StatusCode::NOT_FOUND
 }
 
+/// Track in-flight requests for graceful shutdown drain.
+async fn track_in_flight(
+    State(state): State<&'static AppState>,
+    req: axum::http::Request<axum::body::Body>,
+    next: Next,
+) -> Response {
+    state.in_flight.fetch_add(1, Ordering::Relaxed);
+    let resp = next.run(req).await;
+    state.in_flight.fetch_sub(1, Ordering::Relaxed);
+    resp
+}
+
+/// Global request timeout (30s) — defense-in-depth against slow clients or stuck handlers.
+async fn request_timeout(
+    req: axum::http::Request<axum::body::Body>,
+    next: Next,
+) -> Response {
+    match tokio::time::timeout(std::time::Duration::from_secs(30), next.run(req)).await {
+        Ok(resp) => resp,
+        Err(_) => StatusCode::REQUEST_TIMEOUT.into_response(),
+    }
+}
+
 async fn security_headers(
-    State(state): State<Arc<AppState>>,
+    State(state): State<&'static AppState>,
     req: axum::http::Request<axum::body::Body>,
     next: Next,
 ) -> Response {
@@ -358,6 +542,10 @@ async fn security_headers(
         header::CONTENT_SECURITY_POLICY,
         HeaderValue::from_static("default-src 'none'"),
     );
+    headers.insert(
+        header::X_FRAME_OPTIONS,
+        HeaderValue::from_static("DENY"),
+    );
     if state.tls_active {
         headers.insert(
             header::STRICT_TRANSPORT_SECURITY,
@@ -368,8 +556,25 @@ async fn security_headers(
 }
 
 async fn shutdown_signal() {
-    tokio::signal::ctrl_c()
-        .await
-        .expect("Failed to install CTRL+C handler");
+    #[cfg(unix)]
+    {
+        use tokio::signal::unix::{signal, SignalKind};
+        let mut sigterm = signal(SignalKind::terminate())
+            .expect("Failed to install SIGTERM handler");
+        tokio::select! {
+            r = tokio::signal::ctrl_c() => {
+                if let Err(e) = r {
+                    tracing::error!("CTRL+C handler error: {e}");
+                }
+            }
+            _ = sigterm.recv() => {}
+        }
+    }
+    #[cfg(not(unix))]
+    {
+        tokio::signal::ctrl_c()
+            .await
+            .expect("Failed to install CTRL+C handler");
+    }
     info!("Shutdown signal received");
 }
diff --git a/src/sign.rs b/src/sign.rs
index 00157d2..fe447a9 100644
--- a/src/sign.rs
+++ b/src/sign.rs
@@ -17,7 +17,7 @@ pub fn run(command: &[String], dry_run: bool) -> Result<()> {
     // Extract the request body from the command.
     // Looks for -d/--data/--data-raw and grabs the next arg.
     let body = extract_body(command);
-    let timestamp = chrono::Utc::now().timestamp();
+    let timestamp = crate::config::epoch_secs() as i64;
 
     // Sign: "{timestamp}.{body}"
     let message = format!("{timestamp}.{body}");
diff --git a/src/tls.rs b/src/tls.rs
index 764febe..4032478 100644
--- a/src/tls.rs
+++ b/src/tls.rs
@@ -1,30 +1,25 @@
 use anyhow::{Context, Result};
 use axum_server::tls_rustls::RustlsConfig;
-use std::path::Path;
-use std::process::Command;
-use tracing::{info, warn};
-
-use crate::config;
+use tracing::info;
 
 pub enum TlsMode {
-    Auto { domain: String },
     Custom { cert_path: String, key_path: String },
     None,
 }
 
 impl TlsMode {
-    pub fn from_credentials(creds: &crate::credentials::Credentials) -> Self {
+    pub fn from_credentials(creds: &crate::credentials::Credentials) -> Result<Self> {
         if creds.no_tls {
-            TlsMode::None
+            Ok(TlsMode::None)
         } else if let (Some(cert), Some(key)) = (&creds.tls_cert, &creds.tls_key) {
-            TlsMode::Custom {
+            Ok(TlsMode::Custom {
                 cert_path: cert.clone(),
                 key_path: key.clone(),
-            }
+            })
         } else {
-            TlsMode::Auto {
-                domain: creds.domain.clone(),
-            }
+            anyhow::bail!(
+                "TLS requires --tls-cert and --tls-key, or use --no-tls for plain HTTP"
+            )
         }
     }
 }
@@ -37,198 +32,8 @@ pub async fn resolve_rustls_config(mode: &TlsMode) -> Result<RustlsConfig> {
                 .await
                 .context("Failed to load TLS cert/key")
         }
-        TlsMode::Auto { domain } => {
-            let tls_dir = config::tls_dir()?;
-            std::fs::create_dir_all(&tls_dir)?;
-            let cert_path = tls_dir.join("fullchain.pem");
-            let key_path = tls_dir.join("key.pem");
-
-            if !cert_path.exists() || !key_path.exists() {
-                issue_cert(domain, &tls_dir)?;
-            }
-
-            RustlsConfig::from_pem_file(&cert_path, &key_path)
-                .await
-                .context("Failed to load TLS cert")
-        }
         TlsMode::None => {
             unreachable!("resolve_rustls_config called with TlsMode::None")
         }
     }
 }
-
-// Install acme.sh if not present, issue cert, install to ~/.atomic/tls/
-fn issue_cert(domain: &str, tls_dir: &Path) -> Result<()> {
-    // Defense-in-depth: validate domain even though init.rs already checks
-    if !domain.chars().all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '.') {
-        anyhow::bail!("Domain contains invalid characters: {domain}");
-    }
-
-    ensure_acme_sh()?;
-    let acme_sh = acme_sh_path()?;
-
-    info!("Issuing TLS cert for {} via acme.sh", domain);
-
-    // Issue using standalone mode (binds :80 for HTTP-01 challenge)
-    let output = Command::new(&acme_sh)
-        .args([
-            "--issue",
-            "-d", domain,
-            "--standalone",
-            "--server", "letsencrypt",
-        ])
-        .output()
-        .context("Failed to run acme.sh --issue")?;
-
-    if !output.status.success() {
-        let stderr = String::from_utf8_lossy(&output.stderr);
-        let stdout = String::from_utf8_lossy(&output.stdout);
-        // acme.sh returns 2 if cert already exists and is still valid
-        if !stdout.contains("Cert success") && !stderr.contains("already") && output.status.code() != Some(2) {
-            anyhow::bail!(
-                "acme.sh --issue failed (exit {}):\n{}\n{}",
-                output.status,
-                stdout,
-                stderr
-            );
-        }
-    }
-
-    // Install cert files to our tls dir
-    let output = Command::new(&acme_sh)
-        .args([
-            "--install-cert",
-            "-d", domain,
-            "--fullchain-file", &tls_dir.join("fullchain.pem").to_string_lossy(),
-            "--key-file", &tls_dir.join("key.pem").to_string_lossy(),
-        ])
-        .output()
-        .context("Failed to run acme.sh --install-cert")?;
-
-    if !output.status.success() {
-        let stderr = String::from_utf8_lossy(&output.stderr);
-        anyhow::bail!("acme.sh --install-cert failed: {stderr}");
-    }
-
-    info!("TLS cert installed to {}", tls_dir.display());
-    Ok(())
-}
-
-fn ensure_acme_sh() -> Result<()> {
-    if acme_sh_path().is_ok() {
-        return Ok(());
-    }
-
-    info!("Installing acme.sh...");
-    let home = dirs::home_dir().context("No home directory")?;
-    let acme_home = home.join(".acme.sh");
-
-    // Download the script first, then run it with proper argument separation
-    // to avoid shell injection via the home directory path.
-    let download = Command::new("curl")
-        .args(["-fsSL", "https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh"])
-        .output()
-        .context("Failed to download acme.sh. Is curl available?")?;
-
-    if !download.status.success() {
-        let stderr = String::from_utf8_lossy(&download.stderr);
-        anyhow::bail!("Failed to download acme.sh: {stderr}");
-    }
-
-    let output = Command::new("sh")
-        .arg("-s")
-        .arg("--")
-        .arg("--install-online")
-        .arg("--home")
-        .arg(&acme_home)
-        .stdin(std::process::Stdio::piped())
-        .stdout(std::process::Stdio::piped())
-        .stderr(std::process::Stdio::piped())
-        .spawn()
-        .and_then(|mut child| {
-            use std::io::Write;
-            if let Some(ref mut stdin) = child.stdin {
-                stdin.write_all(&download.stdout)?;
-            }
-            child.wait_with_output()
-        })
-        .context("Failed to install acme.sh")?;
-
-    if !output.status.success() {
-        let stderr = String::from_utf8_lossy(&output.stderr);
-        let stdout = String::from_utf8_lossy(&output.stdout);
-        anyhow::bail!(
-            "acme.sh install failed.\n\
-             You can install it manually: curl https://get.acme.sh | sh\n\
-             stdout: {stdout}\n\
-             stderr: {stderr}"
-        );
-    }
-
-    // Verify it's there now
-    acme_sh_path().context(
-        "acme.sh installed but not found. Try installing manually: curl https://get.acme.sh | sh"
-    )?;
-    info!("acme.sh installed");
-    Ok(())
-}
-
-fn acme_sh_path() -> Result<std::path::PathBuf> {
-    // Check common locations
-    let home = dirs::home_dir().context("No home directory")?;
-    let candidates = [
-        home.join(".acme.sh/acme.sh"),
-        std::path::PathBuf::from("/usr/local/bin/acme.sh"),
-    ];
-
-    for path in &candidates {
-        if path.exists() {
-            return Ok(path.clone());
-        }
-    }
-
-    // Try PATH
-    let output = Command::new("which")
-        .arg("acme.sh")
-        .output();
-
-    if let Ok(output) = output {
-        if output.status.success() {
-            let path = String::from_utf8_lossy(&output.stdout).trim().to_string();
-            if !path.is_empty() {
-                return Ok(std::path::PathBuf::from(path));
-            }
-        }
-    }
-
-    anyhow::bail!("acme.sh not found")
-}
-
-// acme.sh sets up its own cron job for renewal. But if atomic manages the server,
-// we should reload the cert when acme.sh renews it. This task checks every 12h.
-pub fn spawn_renewal_watcher(rustls_config: RustlsConfig) {
-    let check_interval = std::time::Duration::from_secs(12 * 3600);
-
-    tokio::spawn(async move {
-        loop {
-            tokio::time::sleep(check_interval).await;
-
-            let tls_dir = match config::tls_dir() {
-                Ok(d) => d,
-                Err(e) => {
-                    warn!("Cert reload check failed: {}", e);
-                    continue;
-                }
-            };
-
-            let cert_path = tls_dir.join("fullchain.pem");
-            let key_path = tls_dir.join("key.pem");
-
-            // Hot-reload: if acme.sh renewed the cert on disk, pick it up
-            match rustls_config.reload_from_pem_file(&cert_path, &key_path).await {
-                Ok(()) => info!("TLS cert reloaded"),
-                Err(e) => warn!("TLS cert reload failed: {}", e),
-            }
-        }
-    });
-}
diff --git a/src/vault.rs b/src/vault.rs
index 3eec866..e1c8a51 100644
--- a/src/vault.rs
+++ b/src/vault.rs
@@ -1,15 +1,16 @@
 use anyhow::{bail, Context, Result};
+use zeroize::Zeroizing;
 
 use crate::crypto::vault as crypto_vault;
 use crate::db;
 
 pub fn vault_set_with_conn(conn: &rusqlite::Connection, label: &str, value: &str, vault_key: &[u8; 32]) -> Result<()> {
     let encrypted = crypto_vault::encrypt(vault_key, value.as_bytes())?;
-    conn.execute(
+    conn.prepare_cached(
         "INSERT OR REPLACE INTO vault_secrets (label, value) VALUES (?1, ?2)",
+    )?.execute(
         rusqlite::params![label, encrypted],
-    )
-    .context("Failed to store secret")?;
+    ).context("Failed to store secret")?;
     Ok(())
 }
 
@@ -18,7 +19,7 @@ pub fn vault_set(label: &str, value: &str, vault_key: &[u8; 32]) -> Result<()> {
     vault_set_with_conn(&conn, label, value, vault_key)
 }
 
-pub fn vault_get(label: &str, vault_key: &[u8; 32]) -> Result<Option<String>> {
+pub fn vault_get(label: &str, vault_key: &[u8; 32]) -> Result<Option<Zeroizing<Box<str>>>> {
     let conn = db::open()?;
     let mut stmt = conn
         .prepare("SELECT value FROM vault_secrets WHERE label = ?1")
@@ -31,7 +32,14 @@ pub fn vault_get(label: &str, vault_key: &[u8; 32]) -> Result<Option<String>> {
     match result {
         Some(encrypted) => {
             let plaintext = crypto_vault::decrypt(vault_key, &encrypted)?;
-            let value = String::from_utf8(plaintext).context("Vault value is not valid UTF-8")?;
+            // Box<str> is 2 words (ptr, len) vs String's 3 (ptr, len, cap).
+            // No slack capacity means zeroize wipes exactly the used bytes.
+            let value = Zeroizing::new(
+                std::str::from_utf8(&plaintext)
+                    .context("Vault value is not valid UTF-8")?
+                    .to_string()
+                    .into_boxed_str(),
+            );
             Ok(Some(value))
         }
         None => Ok(None),
@@ -71,9 +79,16 @@ pub fn vault_count() -> Result<usize> {
     Ok(count as usize)
 }
 
+/// Reject labels with non-printable characters or excessive length.
+fn is_valid_label(s: &str) -> bool {
+    !s.is_empty()
+        && s.len() <= 256
+        && s.bytes().all(|b| b >= 0x20 && b != 0x7F)
+}
+
 pub fn cmd_set(label: &str, value: &str, vault_key: &[u8; 32]) -> Result<()> {
-    if label.is_empty() || label.len() > 256 {
-        bail!("Label must be non-empty and at most 256 characters");
+    if !is_valid_label(label) {
+        bail!("Label must be non-empty, at most 256 printable characters");
     }
     vault_set(label, value, vault_key)?;
     println!("Stored '{label}'");
@@ -83,7 +98,7 @@ pub fn cmd_set(label: &str, value: &str, vault_key: &[u8; 32]) -> Result<()> {
 pub fn cmd_get(label: &str, vault_key: &[u8; 32]) -> Result<()> {
     match vault_get(label, vault_key)? {
         Some(value) => {
-            print!("{value}"); // no trailing newline, so it works in $()
+            print!("{}", &*value); // no trailing newline, so it works in $()
             Ok(())
         }
         None => bail!("Label '{label}' not found in vault"),
@@ -136,7 +151,7 @@ mod tests {
         let mut stmt = conn.prepare("SELECT value FROM vault_secrets WHERE label = ?1").unwrap();
         let encrypted: Vec<u8> = stmt.query_row(["api_key"], |row| row.get(0)).unwrap();
         let decrypted = cv::decrypt(&key, &encrypted).unwrap();
-        assert_eq!(String::from_utf8(decrypted).unwrap(), "sk-12345");
+        assert_eq!(std::str::from_utf8(&decrypted).unwrap(), "sk-12345");
     }
 
     #[test]
@@ -148,7 +163,7 @@ mod tests {
         let mut stmt = conn.prepare("SELECT value FROM vault_secrets WHERE label = ?1").unwrap();
         let encrypted: Vec<u8> = stmt.query_row(["k"], |row| row.get(0)).unwrap();
         let decrypted = cv::decrypt(&key, &encrypted).unwrap();
-        assert_eq!(String::from_utf8(decrypted).unwrap(), "v2");
+        assert_eq!(std::str::from_utf8(&decrypted).unwrap(), "v2");
     }
 
     #[test]