diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index e376fad..78bd096 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -7,6 +7,7 @@
 #
 #   @Fieldnote-Echo   — repository owner (admin)
 #   @project-navi-bot — write collaborator
+#   @toadkicker       — write collaborator
 
 # Default owners for everything in the repo.
-* @Fieldnote-Echo @project-navi-bot
+* @Fieldnote-Echo @project-navi-bot @toadkicker
diff --git a/.github/workflows/coverage-python.yml b/.github/workflows/coverage-python.yml
index 4ec1299..8829e2c 100644
--- a/.github/workflows/coverage-python.yml
+++ b/.github/workflows/coverage-python.yml
@@ -10,7 +10,8 @@ name: coverage-python
 # line. Informational like the core coverage job: no floor yet (the FFI glue
 # has guard branches unreachable on 64-bit, e.g. the usize-overflow arms), and
 # fail_ci_if_error is false so a failed or absent upload never blocks a PR.
-# The upload runs without credentials (supported for public repos).
+# The upload uses OIDC so Codecov authenticates the current GitHub repository
+# identity after transfers instead of depending on a repo-token slug.
 on:
   push:
     branches: [main]
@@ -42,6 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
+      id-token: write # authenticate Codecov upload to the current repo via OIDC
     steps:
       - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
@@ -85,3 +87,4 @@ jobs:
           files: binding-lcov.info
           flags: python-binding
           fail_ci_if_error: false
+          use_oidc: true
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
index f732e13..529ab59 100644
--- a/.github/workflows/coverage.yml
+++ b/.github/workflows/coverage.yml
@@ -24,6 +24,7 @@ jobs:
     runs-on: ubuntu-24.04
     permissions:
       contents: read
+      id-token: write # authenticate Codecov upload to the current repo via OIDC
     env:
       SDE_VERSION: sde-external-10.8.0-2026-03-15-lin
       SDE_SHA256: 50b320cd226acef7a491f5b321fc1be3c3c7984f9e27a456e64894b5b0979dd3
@@ -110,4 +111,4 @@ jobs:
         with:
           files: lcov.info
           fail_ci_if_error: false
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true
diff --git a/README.md b/README.md
index beb923b..b875fba 100644
--- a/README.md
+++ b/README.md
@@ -501,6 +501,10 @@ zero-system-dependency crate.
 is credited as the project it grew within, with thanks; ordvec's
 development history is in this repository's git log.
 
+The ordvec project is jointly maintained by
+[@Project-Navi](https://github.com/Project-Navi) and
+[@Baur-Software](https://github.com/Baur-Software).
+
 ## Acknowledgements
 
 Thanks to Todd Baur ([@toadkicker](https://github.com/toadkicker)) for the