diff --git a/.gitignore b/.gitignore
index e1e6ed0e0..38b0fc282 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@ bin/gstack-global-discover
 .claude/skills/
 .agents/
 .context/
+extension/.auth.json
 .gstack-worktrees/
 /tmp/
 *.log
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1a5b925fd..24b7111a5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,24 @@
 # Changelog
 
+## [0.13.1.0] - 2026-03-28 — Defense in Depth
+
+The browse server runs on localhost and requires a token for access, so these issues only matter if a malicious process is already running on your machine (e.g., a compromised npm postinstall script). This release hardens the attack surface so that even in that scenario, the damage is contained.
+
+### Fixed
+
+- **Auth token removed from `/health` endpoint.** Token now distributed via `.auth.json` file (0o600 permissions) instead of an unauthenticated HTTP response.
+- **Cookie picker data routes now require Bearer auth.** The HTML picker page is still open (it's the UI shell), but all data and action endpoints check the token.
+- **CORS tightened on `/refs` and `/activity/*`.** Removed wildcard origin header so websites can't read browse activity cross-origin.
+- **State files auto-expire after 7 days.** Cookie state files now include a timestamp and warn on load if stale. Server startup cleans up files older than 7 days.
+- **Extension uses `textContent` instead of `innerHTML`.** Prevents DOM injection if server-provided data ever contained markup. Standard defense-in-depth for browser extensions.
+- **Path validation resolves symlinks before boundary checks.** `validateReadPath` now calls `realpathSync` and handles macOS `/tmp` symlink correctly.
+- **Freeze hook uses portable path resolution.** POSIX-compatible (works on macOS without coreutils), fixes edge case where `/project-evil` could match a freeze boundary set to `/project`.
+- **Shell config scripts validate input.** `gstack-config` rejects regex-special keys and escapes sed patterns. `gstack-telemetry-log` sanitizes branch/repo names in JSON output.
+
+### Added
+
+- 20 regression tests covering all hardening changes.
+
 ## [0.13.0.0] - 2026-03-27 — Your Agent Can Design Now
 
 gstack can generate real UI mockups. Not ASCII art, not text descriptions of hex codes, real visual designs you can look at, compare, pick from, and iterate on. Run `/office-hours` on a UI idea and you'll get 3 visual concepts in Chrome with a comparison board where you pick your favorite, rate the others, and tell the agent what to change.
diff --git a/VERSION b/VERSION
index b6963e15b..883dcff5e 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-0.13.0.0
+0.13.1.0
diff --git a/bin/gstack-config b/bin/gstack-config
index 1147adddb..821a342a7 100755
--- a/bin/gstack-config
+++ b/bin/gstack-config
@@ -16,16 +16,28 @@ CONFIG_FILE="$STATE_DIR/config.yaml"
 case "${1:-}" in
   get)
     KEY="${2:?Usage: gstack-config get <key>}"
-    grep -E "^${KEY}:" "$CONFIG_FILE" 2>/dev/null | tail -1 | awk '{print $2}' | tr -d '[:space:]' || true
+    # Validate key (alphanumeric + underscore only)
+    if ! printf '%s' "$KEY" | grep -qE '^[a-zA-Z0-9_]+$'; then
+      echo "Error: key must contain only alphanumeric characters and underscores" >&2
+      exit 1
+    fi
+    grep -F "${KEY}:" "$CONFIG_FILE" 2>/dev/null | tail -1 | awk '{print $2}' | tr -d '[:space:]' || true
     ;;
   set)
     KEY="${2:?Usage: gstack-config set <key> <value>}"
     VALUE="${3:?Usage: gstack-config set <key> <value>}"
+    # Validate key (alphanumeric + underscore only)
+    if ! printf '%s' "$KEY" | grep -qE '^[a-zA-Z0-9_]+$'; then
+      echo "Error: key must contain only alphanumeric characters and underscores" >&2
+      exit 1
+    fi
     mkdir -p "$STATE_DIR"
-    if grep -qE "^${KEY}:" "$CONFIG_FILE" 2>/dev/null; then
+    # Escape sed special chars in value and drop embedded newlines
+    ESC_VALUE="$(printf '%s' "$VALUE" | head -1 | sed 's/[&/\]/\\&/g')"
+    if grep -qF "${KEY}:" "$CONFIG_FILE" 2>/dev/null; then
       # Portable in-place edit (BSD sed uses -i '', GNU sed uses -i without arg)
       _tmpfile="$(mktemp "${CONFIG_FILE}.XXXXXX")"
-      sed "s/^${KEY}:.*/${KEY}: ${VALUE}/" "$CONFIG_FILE" > "$_tmpfile" && mv "$_tmpfile" "$CONFIG_FILE"
+      sed "s/^${KEY}:.*/${KEY}: ${ESC_VALUE}/" "$CONFIG_FILE" > "$_tmpfile" && mv "$_tmpfile" "$CONFIG_FILE"
     else
       echo "${KEY}: ${VALUE}" >> "$CONFIG_FILE"
     fi
diff --git a/bin/gstack-telemetry-log b/bin/gstack-telemetry-log
index da371c38b..93db82077 100755
--- a/bin/gstack-telemetry-log
+++ b/bin/gstack-telemetry-log
@@ -158,6 +158,8 @@ OUTCOME="$(json_safe "$OUTCOME")"
 SESSION_ID="$(json_safe "$SESSION_ID")"
 SOURCE="$(json_safe "$SOURCE")"
 EVENT_TYPE="$(json_safe "$EVENT_TYPE")"
+REPO_SLUG="$(json_safe "$REPO_SLUG")"
+BRANCH="$(json_safe "$BRANCH")"
 
 # Escape null fields — sanitize ERROR_CLASS and FAILED_STEP via json_safe()
 ERR_FIELD="null"
diff --git a/browse/src/browser-manager.ts b/browse/src/browser-manager.ts
index 1ef58e36a..a6eda991b 100644
--- a/browse/src/browser-manager.ts
+++ b/browse/src/browser-manager.ts
@@ -211,7 +211,7 @@ export class BrowserManager {
    * The browser launches headed with a visible window — the user sees
    * every action Claude takes in real time.
    */
-  async launchHeaded(): Promise<void> {
+  async launchHeaded(authToken?: string): Promise<void> {
     // Clear old state before repopulating
     this.pages.clear();
     this.refMap.clear();
@@ -223,6 +223,17 @@ export class BrowserManager {
     if (extensionPath) {
       launchArgs.push(`--disable-extensions-except=${extensionPath}`);
       launchArgs.push(`--load-extension=${extensionPath}`);
+      // Write auth token for extension bootstrap (read via chrome.runtime.getURL)
+      if (authToken) {
+        const fs = require('fs');
+        const path = require('path');
+        const authFile = path.join(extensionPath, '.auth.json');
+        try {
+          fs.writeFileSync(authFile, JSON.stringify({ token: authToken }), { mode: 0o600 });
+        } catch (err: any) {
+          console.warn(`[browse] Could not write .auth.json: ${err.message}`);
+        }
+      }
     }
 
     // Launch headed Chromium via Playwright's persistent context.
@@ -751,6 +762,20 @@ export class BrowserManager {
       if (extensionPath) {
         launchArgs.push(`--disable-extensions-except=${extensionPath}`);
         launchArgs.push(`--load-extension=${extensionPath}`);
+        // Write auth token for extension bootstrap during handoff
+        if (this.serverPort) {
+          try {
+            const { resolveConfig } = require('./config');
+            const config = resolveConfig();
+            const stateFile = path.join(config.stateDir, 'browse.json');
+            if (fs.existsSync(stateFile)) {
+              const stateData = JSON.parse(fs.readFileSync(stateFile, 'utf-8'));
+              if (stateData.token) {
+                fs.writeFileSync(path.join(extensionPath, '.auth.json'), JSON.stringify({ token: stateData.token }), { mode: 0o600 });
+              }
+            }
+          } catch {}
+        }
         console.log(`[browse] Handoff: loading extension from ${extensionPath}`);
       } else {
         console.log('[browse] Handoff: extension not found — headed mode without side panel');
diff --git a/browse/src/cookie-picker-routes.ts b/browse/src/cookie-picker-routes.ts
index 0e6972484..f36a66600 100644
--- a/browse/src/cookie-picker-routes.ts
+++ b/browse/src/cookie-picker-routes.ts
@@ -53,6 +53,7 @@ export async function handleCookiePickerRoute(
   url: URL,
   req: Request,
   bm: BrowserManager,
+  authToken?: string,
 ): Promise<Response> {
   const pathname = url.pathname;
   const port = parseInt(url.port, 10) || 9400;
@@ -64,7 +65,7 @@ export async function handleCookiePickerRoute(
       headers: {
         'Access-Control-Allow-Origin': corsOrigin(port),
         'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
-        'Access-Control-Allow-Headers': 'Content-Type',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
       },
     });
   }
@@ -72,13 +73,24 @@ export async function handleCookiePickerRoute(
   try {
     // GET /cookie-picker — serve the picker UI
     if (pathname === '/cookie-picker' && req.method === 'GET') {
-      const html = getCookiePickerHTML(port);
+      const html = getCookiePickerHTML(port, authToken);
       return new Response(html, {
         status: 200,
         headers: { 'Content-Type': 'text/html; charset=utf-8' },
       });
     }
 
+    // ─── Auth gate: all data/action routes below require Bearer token ───
+    if (authToken) {
+      const authHeader = req.headers.get('authorization');
+      if (!authHeader || authHeader !== `Bearer ${authToken}`) {
+        return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+          status: 401,
+          headers: { 'Content-Type': 'application/json' },
+        });
+      }
+    }
+
     // GET /cookie-picker/browsers — list installed browsers
     if (pathname === '/cookie-picker/browsers' && req.method === 'GET') {
       const browsers = findInstalledBrowsers();
diff --git a/browse/src/cookie-picker-ui.ts b/browse/src/cookie-picker-ui.ts
index 381cf2e2f..70faa5621 100644
--- a/browse/src/cookie-picker-ui.ts
+++ b/browse/src/cookie-picker-ui.ts
@@ -7,7 +7,7 @@
  * No cookie values exposed anywhere.
  */
 
-export function getCookiePickerHTML(serverPort: number): string {
+export function getCookiePickerHTML(serverPort: number, authToken?: string): string {
   const baseUrl = `http://127.0.0.1:${serverPort}`;
 
   return `<!DOCTYPE html>
@@ -330,6 +330,7 @@ export function getCookiePickerHTML(serverPort: number): string {
 <script>
 (function() {
   const BASE = '${baseUrl}';
+  const AUTH_TOKEN = '${authToken || ''}';
   let activeBrowser = null;
   let activeProfile = 'Default';
   let allProfiles = [];
@@ -372,7 +373,9 @@ export function getCookiePickerHTML(serverPort: number): string {
 
   // ─── API ────────────────────────────────
   async function api(path, opts) {
-    const res = await fetch(BASE + '/cookie-picker' + path, opts);
+    const headers = { ...(opts?.headers || {}) };
+    if (AUTH_TOKEN) headers['Authorization'] = 'Bearer ' + AUTH_TOKEN;
+    const res = await fetch(BASE + '/cookie-picker' + path, { ...opts, headers });
     const data = await res.json();
     if (!res.ok) {
       const err = new Error(data.error || 'Request failed');
diff --git a/browse/src/meta-commands.ts b/browse/src/meta-commands.ts
index 99a188435..b8325738c 100644
--- a/browse/src/meta-commands.ts
+++ b/browse/src/meta-commands.ts
@@ -474,11 +474,12 @@ export async function handleMetaCommand(
         // V1: cookies + URLs only (not localStorage — breaks on load-before-navigate)
         const saveData = {
           version: 1,
+          savedAt: new Date().toISOString(),
           cookies: state.cookies,
           pages: state.pages.map(p => ({ url: p.url, isActive: p.isActive })),
         };
         fs.writeFileSync(statePath, JSON.stringify(saveData, null, 2), { mode: 0o600 });
-        return `State saved: ${statePath} (${state.cookies.length} cookies, ${state.pages.length} pages — treat as sensitive)`;
+        return `State saved: ${statePath} (${state.cookies.length} cookies, ${state.pages.length} pages)\n⚠️  Cookies stored in plaintext. Delete when no longer needed.`;
       }
 
       if (action === 'load') {
@@ -487,6 +488,14 @@ export async function handleMetaCommand(
         if (!Array.isArray(data.cookies) || !Array.isArray(data.pages)) {
           throw new Error('Invalid state file: expected cookies and pages arrays');
         }
+        // Warn on state files older than 7 days
+        if (data.savedAt) {
+          const ageMs = Date.now() - new Date(data.savedAt).getTime();
+          const SEVEN_DAYS = 7 * 24 * 60 * 60 * 1000;
+          if (ageMs > SEVEN_DAYS) {
+            console.warn(`[browse] Warning: State file is ${Math.round(ageMs / 86400000)} days old. Consider re-saving.`);
+          }
+        }
         // Close existing pages, then restore (replace, not merge)
         bm.setFrame(null);
         await bm.closeAllPages();
diff --git a/browse/src/read-commands.ts b/browse/src/read-commands.ts
index 802c3813b..5615b60f0 100644
--- a/browse/src/read-commands.ts
+++ b/browse/src/read-commands.ts
@@ -37,19 +37,34 @@ function wrapForEvaluate(code: string): string {
 }
 
 // Security: Path validation to prevent path traversal attacks
-const SAFE_DIRECTORIES = [TEMP_DIR, process.cwd()];
+// Resolve safe directories through realpathSync to handle symlinks (e.g., macOS /tmp → /private/tmp)
+const SAFE_DIRECTORIES = [TEMP_DIR, process.cwd()].map(d => {
+  try { return fs.realpathSync(d); } catch { return d; }
+});
 
 export function validateReadPath(filePath: string): void {
-  if (path.isAbsolute(filePath)) {
-    const resolved = path.resolve(filePath);
-    const isSafe = SAFE_DIRECTORIES.some(dir => isPathWithin(resolved, dir));
-    if (!isSafe) {
-      throw new Error(`Absolute path must be within: ${SAFE_DIRECTORIES.join(', ')}`);
+  // Always resolve to absolute first (fixes relative path symlink bypass)
+  const resolved = path.resolve(filePath);
+  // Resolve symlinks — throw on non-ENOENT errors
+  let realPath: string;
+  try {
+    realPath = fs.realpathSync(resolved);
+  } catch (err: any) {
+    if (err.code === 'ENOENT') {
+      // File doesn't exist — resolve directory part for symlinks (e.g., /tmp → /private/tmp)
+      try {
+        const dir = fs.realpathSync(path.dirname(resolved));
+        realPath = path.join(dir, path.basename(resolved));
+      } catch {
+        realPath = resolved;
+      }
+    } else {
+      throw new Error(`Cannot resolve real path: ${filePath} (${err.code})`);
     }
   }
-  const normalized = path.normalize(filePath);
-  if (normalized.includes('..')) {
-    throw new Error('Path traversal sequences (..) are not allowed');
+  const isSafe = SAFE_DIRECTORIES.some(dir => isPathWithin(realPath, dir));
+  if (!isSafe) {
+    throw new Error(`Path must be within: ${SAFE_DIRECTORIES.join(', ')}`);
   }
 }
 
diff --git a/browse/src/server.ts b/browse/src/server.ts
index 00e4393a0..dca380409 100644
--- a/browse/src/server.ts
+++ b/browse/src/server.ts
@@ -805,7 +805,7 @@ async function start() {
   if (!skipBrowser) {
     const headed = process.env.BROWSE_HEADED === '1';
     if (headed) {
-      await browserManager.launchHeaded();
+      await browserManager.launchHeaded(AUTH_TOKEN);
       console.log(`[browse] Launched headed Chromium with extension`);
     } else {
       await browserManager.launch();
@@ -819,9 +819,9 @@ async function start() {
     fetch: async (req) => {
       const url = new URL(req.url);
 
-      // Cookie picker routes — no auth required (localhost-only)
+      // Cookie picker routes — HTML page unauthenticated, data/action routes require auth
       if (url.pathname.startsWith('/cookie-picker')) {
-        return handleCookiePickerRoute(url, req, browserManager);
+        return handleCookiePickerRoute(url, req, browserManager, AUTH_TOKEN);
       }
 
       // Health check — no auth required, does NOT reset idle timer
@@ -833,7 +833,7 @@ async function start() {
           uptime: Math.floor((Date.now() - startTime) / 1000),
           tabs: browserManager.getTabCount(),
           currentUrl: browserManager.getCurrentUrl(),
-          token: AUTH_TOKEN,  // Extension uses this for Bearer auth
+          // token removed — see .auth.json for extension bootstrap
           chatEnabled: true,
           agent: {
             status: agentStatus,
@@ -848,8 +848,14 @@ async function start() {
         });
       }
 
-      // Refs endpoint — no auth required (localhost-only), does NOT reset idle timer
+      // Refs endpoint — auth required, does NOT reset idle timer
       if (url.pathname === '/refs') {
+        if (!validateAuth(req)) {
+          return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+            status: 401,
+            headers: { 'Content-Type': 'application/json' },
+          });
+        }
         const refs = browserManager.getRefMap();
         return new Response(JSON.stringify({
           refs,
@@ -857,15 +863,20 @@ async function start() {
           mode: browserManager.getConnectionMode(),
         }), {
           status: 200,
-          headers: {
-            'Content-Type': 'application/json',
-            'Access-Control-Allow-Origin': '*',
-          },
+          headers: { 'Content-Type': 'application/json' },
         });
       }
 
-      // Activity stream — SSE, no auth (localhost-only), does NOT reset idle timer
+      // Activity stream — SSE, auth required, does NOT reset idle timer
       if (url.pathname === '/activity/stream') {
+        // Inline auth: accept Bearer header OR ?token= query param (EventSource can't send headers)
+        const streamToken = url.searchParams.get('token');
+        if (!validateAuth(req) && streamToken !== AUTH_TOKEN) {
+          return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+            status: 401,
+            headers: { 'Content-Type': 'application/json' },
+          });
+        }
         const afterId = parseInt(url.searchParams.get('after') || '0', 10);
         const encoder = new TextEncoder();
 
@@ -913,21 +924,23 @@ async function start() {
             'Content-Type': 'text/event-stream',
             'Cache-Control': 'no-cache',
             'Connection': 'keep-alive',
-            'Access-Control-Allow-Origin': '*',
           },
         });
       }
 
-      // Activity history — REST, no auth (localhost-only), does NOT reset idle timer
+      // Activity history — REST, auth required, does NOT reset idle timer
       if (url.pathname === '/activity/history') {
+        if (!validateAuth(req)) {
+          return new Response(JSON.stringify({ error: 'Unauthorized' }), {
+            status: 401,
+            headers: { 'Content-Type': 'application/json' },
+          });
+        }
         const limit = parseInt(url.searchParams.get('limit') || '50', 10);
         const { entries, totalAdded } = getActivityHistory(limit);
         return new Response(JSON.stringify({ entries, totalAdded, subscribers: getSubscriberCount() }), {
           status: 200,
-          headers: {
-            'Content-Type': 'application/json',
-            'Access-Control-Allow-Origin': '*',
-          },
+          headers: { 'Content-Type': 'application/json' },
         });
       }
 
@@ -1139,6 +1152,23 @@ async function start() {
   fs.renameSync(tmpFile, config.stateFile);
 
   browserManager.serverPort = port;
+
+  // Clean up stale state files (older than 7 days)
+  try {
+    const stateDir = path.join(config.stateDir, 'browse-states');
+    if (fs.existsSync(stateDir)) {
+      const SEVEN_DAYS = 7 * 24 * 60 * 60 * 1000;
+      for (const file of fs.readdirSync(stateDir)) {
+        const filePath = path.join(stateDir, file);
+        const stat = fs.statSync(filePath);
+        if (Date.now() - stat.mtimeMs > SEVEN_DAYS) {
+          fs.unlinkSync(filePath);
+          console.log(`[browse] Deleted stale state file: ${file}`);
+        }
+      }
+    }
+  } catch {}
+
   console.log(`[browse] Server running on http://127.0.0.1:${port} (PID: ${process.pid})`);
   console.log(`[browse] State file: ${config.stateFile}`);
   console.log(`[browse] Idle timeout: ${IDLE_TIMEOUT_MS / 1000}s`);
diff --git a/browse/src/sidebar-agent.ts b/browse/src/sidebar-agent.ts
index 6eb2cebbb..ecce778ee 100644
--- a/browse/src/sidebar-agent.ts
+++ b/browse/src/sidebar-agent.ts
@@ -66,10 +66,11 @@ function writeToInbox(message: string, pageUrl?: string, sessionId?: string): vo
 // ─── Auth ────────────────────────────────────────────────────────
 
 async function refreshToken(): Promise<string | null> {
+  // Read token from state file (same-user, mode 0o600) instead of /health
   try {
-    const resp = await fetch(`${SERVER_URL}/health`, { signal: AbortSignal.timeout(3000) });
-    if (!resp.ok) return null;
-    const data = await resp.json() as any;
+    const stateFile = process.env.BROWSE_STATE_FILE ||
+      path.join(process.env.HOME || '/tmp', '.gstack', 'browse.json');
+    const data = JSON.parse(fs.readFileSync(stateFile, 'utf-8'));
     authToken = data.token || null;
     return authToken;
   } catch {
diff --git a/browse/test/adversarial-security.test.ts b/browse/test/adversarial-security.test.ts
new file mode 100644
index 000000000..19db16e04
--- /dev/null
+++ b/browse/test/adversarial-security.test.ts
@@ -0,0 +1,32 @@
+/**
+ * Adversarial security tests — XSS and boundary-check hardening
+ *
+ * Test 19: Sidepanel escapes entry.command in activity feed (prevents XSS)
+ * Test 20: Freeze hook uses trailing slash in boundary check (prevents prefix collision)
+ */
+
+import { describe, test, expect } from 'bun:test';
+import * as fs from 'fs';
+import * as path from 'path';
+
+describe('Adversarial security', () => {
+  test('sidepanel escapes entry.command in activity feed', () => {
+    const source = fs.readFileSync(
+      path.join(import.meta.dir, '../../extension/sidepanel.js'),
+      'utf-8',
+    );
+    // entry.command must be wrapped in escapeHtml() to prevent XSS injection
+    // via crafted command names in the activity feed
+    expect(source).toContain('escapeHtml(entry.command');
+  });
+
+  test('freeze hook uses trailing slash in boundary check', () => {
+    const source = fs.readFileSync(
+      path.join(import.meta.dir, '../../freeze/bin/check-freeze.sh'),
+      'utf-8',
+    );
+    // The boundary check must use "${FREEZE_DIR}/" with a trailing slash
+    // to prevent prefix collision (e.g., /app matching /application)
+    expect(source).toContain('"${FREEZE_DIR}/"');
+  });
+});
diff --git a/browse/test/commands.test.ts b/browse/test/commands.test.ts
index ea35d2fad..0f1a91dbb 100644
--- a/browse/test/commands.test.ts
+++ b/browse/test/commands.test.ts
@@ -1758,7 +1758,7 @@ describe('Path traversal prevention', () => {
       await handleReadCommand('eval', ['../../etc/passwd'], bm);
       expect(true).toBe(false);
     } catch (err: any) {
-      expect(err.message).toContain('Path traversal');
+      expect(err.message).toContain('Path must be within');
     }
   });
 
@@ -1767,7 +1767,7 @@ describe('Path traversal prevention', () => {
       await handleReadCommand('eval', ['/etc/passwd'], bm);
       expect(true).toBe(false);
     } catch (err: any) {
-      expect(err.message).toContain('Absolute path must be within');
+      expect(err.message).toContain('Path must be within');
     }
   });
 
@@ -1939,7 +1939,7 @@ describe('State persistence', () => {
     // Save state
     const saveResult = await handleMetaCommand('state', ['save', 'test-roundtrip'], bm, async () => {});
     expect(saveResult).toContain('State saved');
-    expect(saveResult).toContain('treat as sensitive');
+    expect(saveResult).toContain('Cookies stored in plaintext');
 
     // Navigate away
     await handleWriteCommand('goto', [baseUrl + '/forms.html'], bm);
diff --git a/browse/test/cookie-picker-routes.test.ts b/browse/test/cookie-picker-routes.test.ts
index ca55c473e..d9a83a065 100644
--- a/browse/test/cookie-picker-routes.test.ts
+++ b/browse/test/cookie-picker-routes.test.ts
@@ -202,4 +202,59 @@ describe('cookie-picker-routes', () => {
       expect(res.status).toBe(404);
     });
   });
+
+  describe('auth gate security', () => {
+    test('GET /cookie-picker HTML page works without auth token', async () => {
+      const { bm } = mockBrowserManager();
+      const url = makeUrl('/cookie-picker');
+      // Request with no Authorization header, but authToken is set on the server
+      const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
+
+      const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
+
+      expect(res.status).toBe(200);
+      expect(res.headers.get('Content-Type')).toContain('text/html');
+    });
+
+    test('GET /cookie-picker/browsers returns 401 without auth', async () => {
+      const { bm } = mockBrowserManager();
+      const url = makeUrl('/cookie-picker/browsers');
+      // No Authorization header
+      const req = new Request('http://127.0.0.1:9470', { method: 'GET' });
+
+      const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
+
+      expect(res.status).toBe(401);
+      const body = await res.json();
+      expect(body.error).toBe('Unauthorized');
+    });
+
+    test('POST /cookie-picker/import returns 401 without auth', async () => {
+      const { bm } = mockBrowserManager();
+      const url = makeUrl('/cookie-picker/import');
+      const req = makeReq('POST', { browser: 'Chrome', domains: ['.example.com'] });
+
+      const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
+
+      expect(res.status).toBe(401);
+      const body = await res.json();
+      expect(body.error).toBe('Unauthorized');
+    });
+
+    test('GET /cookie-picker/browsers works with valid auth', async () => {
+      const { bm } = mockBrowserManager();
+      const url = makeUrl('/cookie-picker/browsers');
+      const req = new Request('http://127.0.0.1:9470', {
+        method: 'GET',
+        headers: { 'Authorization': 'Bearer test-secret-token' },
+      });
+
+      const res = await handleCookiePickerRoute(url, req, bm, 'test-secret-token');
+
+      expect(res.status).toBe(200);
+      expect(res.headers.get('Content-Type')).toBe('application/json');
+      const body = await res.json();
+      expect(body).toHaveProperty('browsers');
+    });
+  });
 });
diff --git a/browse/test/gstack-config.test.ts b/browse/test/gstack-config.test.ts
index 8a7b6dea1..d3efc1ce7 100644
--- a/browse/test/gstack-config.test.ts
+++ b/browse/test/gstack-config.test.ts
@@ -122,4 +122,17 @@ describe('gstack-config', () => {
     expect(exitCode).toBe(1);
     expect(stdout).toContain('Usage');
   });
+
+  // ─── security: input validation ─────────────────────────
+  test('set rejects key with regex metacharacters', () => {
+    const { exitCode, stderr } = run(['set', '.*', 'value']);
+    expect(exitCode).toBe(1);
+    expect(stderr).toContain('alphanumeric');
+  });
+
+  test('set preserves value with sed special chars', () => {
+    run(['set', 'test_special', 'a/b&c\\d']);
+    const { stdout } = run(['get', 'test_special']);
+    expect(stdout).toBe('a/b&c\\d');
+  });
 });
diff --git a/browse/test/path-validation.test.ts b/browse/test/path-validation.test.ts
index ab25941ed..8a26436ca 100644
--- a/browse/test/path-validation.test.ts
+++ b/browse/test/path-validation.test.ts
@@ -1,6 +1,9 @@
 import { describe, it, expect } from 'bun:test';
 import { validateOutputPath } from '../src/meta-commands';
 import { validateReadPath } from '../src/read-commands';
+import { symlinkSync, unlinkSync, writeFileSync } from 'fs';
+import { tmpdir } from 'os';
+import { join } from 'path';
 
 describe('validateOutputPath', () => {
   it('allows paths within /tmp', () => {
@@ -46,18 +49,43 @@ describe('validateReadPath', () => {
   });
 
   it('blocks absolute paths outside safe directories', () => {
-    expect(() => validateReadPath('/etc/passwd')).toThrow(/Absolute path must be within/);
+    expect(() => validateReadPath('/etc/passwd')).toThrow(/Path must be within/);
   });
 
   it('blocks /tmpevil prefix collision', () => {
-    expect(() => validateReadPath('/tmpevil/file.js')).toThrow(/Absolute path must be within/);
+    expect(() => validateReadPath('/tmpevil/file.js')).toThrow(/Path must be within/);
   });
 
   it('blocks path traversal sequences', () => {
-    expect(() => validateReadPath('../../../etc/passwd')).toThrow(/Path traversal/);
+    expect(() => validateReadPath('../../../etc/passwd')).toThrow(/Path must be within/);
   });
 
   it('blocks nested path traversal', () => {
-    expect(() => validateReadPath('src/../../etc/passwd')).toThrow(/Path traversal/);
+    expect(() => validateReadPath('src/../../etc/passwd')).toThrow(/Path must be within/);
+  });
+
+  it('blocks symlink inside safe dir pointing outside', () => {
+    const linkPath = join(tmpdir(), 'test-symlink-bypass-' + Date.now());
+    try {
+      symlinkSync('/etc/passwd', linkPath);
+      expect(() => validateReadPath(linkPath)).toThrow(/Path must be within/);
+    } finally {
+      try { unlinkSync(linkPath); } catch {}
+    }
+  });
+
+  it('throws clear error on non-ENOENT realpathSync failure', () => {
+    // Attempting to resolve a path through a non-directory should throw
+    // a descriptive error (ENOTDIR), not silently pass through.
+    // Create a regular file, then try to resolve a path through it as if it were a directory.
+    const filePath = join(tmpdir(), 'test-notdir-' + Date.now());
+    try {
+      writeFileSync(filePath, 'not a directory');
+      // filePath is a file, so filePath + '/subpath' triggers ENOTDIR
+      const invalidPath = join(filePath, 'subpath');
+      expect(() => validateReadPath(invalidPath)).toThrow(/Cannot resolve real path|Path must be within/);
+    } finally {
+      try { unlinkSync(filePath); } catch {}
+    }
   });
 });
diff --git a/browse/test/server-auth.test.ts b/browse/test/server-auth.test.ts
new file mode 100644
index 000000000..8cce1d3c3
--- /dev/null
+++ b/browse/test/server-auth.test.ts
@@ -0,0 +1,65 @@
+/**
+ * Server auth security tests — verify security remediation in server.ts
+ *
+ * Tests are source-level: they read server.ts and verify that auth checks,
+ * CORS restrictions, and token removal are correctly in place.
+ */
+
+import { describe, test, expect } from 'bun:test';
+import * as fs from 'fs';
+import * as path from 'path';
+
+const SERVER_SRC = fs.readFileSync(path.join(import.meta.dir, '../src/server.ts'), 'utf-8');
+
+// Helper: extract a block of source between two markers
+function sliceBetween(source: string, startMarker: string, endMarker: string): string {
+  const startIdx = source.indexOf(startMarker);
+  if (startIdx === -1) throw new Error(`Marker not found: ${startMarker}`);
+  const endIdx = source.indexOf(endMarker, startIdx + startMarker.length);
+  if (endIdx === -1) throw new Error(`End marker not found: ${endMarker}`);
+  return source.slice(startIdx, endIdx);
+}
+
+describe('Server auth security', () => {
+  // Test 1: /health response must not leak the auth token
+  test('/health response must not contain token field', () => {
+    const healthBlock = sliceBetween(SERVER_SRC, "url.pathname === '/health'", "url.pathname === '/refs'");
+    // The old pattern was: token: AUTH_TOKEN
+    // The new pattern should have a comment indicating token was removed
+    expect(healthBlock).not.toContain('token: AUTH_TOKEN');
+    expect(healthBlock).toContain('token removed');
+  });
+
+  // Test 2: /refs endpoint requires auth via validateAuth
+  test('/refs endpoint requires authentication', () => {
+    const refsBlock = sliceBetween(SERVER_SRC, "url.pathname === '/refs'", "url.pathname === '/activity/stream'");
+    expect(refsBlock).toContain('validateAuth');
+  });
+
+  // Test 3: /refs has no wildcard CORS header
+  test('/refs has no wildcard CORS header', () => {
+    const refsBlock = sliceBetween(SERVER_SRC, "url.pathname === '/refs'", "url.pathname === '/activity/stream'");
+    expect(refsBlock).not.toContain("'*'");
+  });
+
+  // Test 4: /activity/history requires auth via validateAuth
+  test('/activity/history requires authentication', () => {
+    const historyBlock = sliceBetween(SERVER_SRC, "url.pathname === '/activity/history'", 'Sidebar endpoints');
+    expect(historyBlock).toContain('validateAuth');
+  });
+
+  // Test 5: /activity/history has no wildcard CORS header
+  test('/activity/history has no wildcard CORS header', () => {
+    const historyBlock = sliceBetween(SERVER_SRC, "url.pathname === '/activity/history'", 'Sidebar endpoints');
+    expect(historyBlock).not.toContain("'*'");
+  });
+
+  // Test 6: /activity/stream requires auth (inline Bearer or ?token= check)
+  test('/activity/stream requires authentication with inline token check', () => {
+    const streamBlock = sliceBetween(SERVER_SRC, "url.pathname === '/activity/stream'", "url.pathname === '/activity/history'");
+    expect(streamBlock).toContain('validateAuth');
+    expect(streamBlock).toContain('AUTH_TOKEN');
+    // Should not have wildcard CORS for the SSE stream
+    expect(streamBlock).not.toContain("Access-Control-Allow-Origin': '*'");
+  });
+});
diff --git a/browse/test/state-ttl.test.ts b/browse/test/state-ttl.test.ts
new file mode 100644
index 000000000..bfac7937b
--- /dev/null
+++ b/browse/test/state-ttl.test.ts
@@ -0,0 +1,35 @@
+/**
+ * State file TTL security tests
+ *
+ * Verifies that state save includes savedAt timestamp and state load
+ * warns on old state files.
+ */
+
+import { describe, test, expect } from 'bun:test';
+import * as fs from 'fs';
+import * as path from 'path';
+
+const META_SRC = fs.readFileSync(path.join(import.meta.dir, '../src/meta-commands.ts'), 'utf-8');
+
+describe('State file TTL', () => {
+  test('state save includes savedAt timestamp in output', () => {
+    // Verify the save code writes savedAt to the state file
+    const saveBlock = META_SRC.slice(
+      META_SRC.indexOf("if (action === 'save')"),
+      META_SRC.indexOf("if (action === 'load')"),
+    );
+    expect(saveBlock).toContain('savedAt: new Date().toISOString()');
+  });
+
+  test('state load warns when savedAt is older than 7 days', () => {
+    // Verify the load code checks savedAt age and warns
+    const loadStart = META_SRC.indexOf("if (action === 'load')");
+    // Find the second occurrence of "Usage: state save|load" (appears after the load block)
+    const loadEnd = META_SRC.indexOf("Usage: state save|load", loadStart);
+    const loadBlock = META_SRC.slice(loadStart, loadEnd);
+    expect(loadBlock).toContain('data.savedAt');
+    expect(loadBlock).toContain('SEVEN_DAYS');
+    expect(loadBlock).toContain('console.warn');
+    expect(loadBlock).toContain('days old');
+  });
+});
diff --git a/extension/background.js b/extension/background.js
index a4e72d3f6..af1f32ea6 100644
--- a/extension/background.js
+++ b/extension/background.js
@@ -30,6 +30,19 @@ function getBaseUrl() {
   return serverPort ? `http://127.0.0.1:${serverPort}` : null;
 }
 
+// ─── Auth Token Bootstrap ─────────────────────────────────────
+
+async function loadAuthToken() {
+  if (authToken) return;
+  try {
+    const resp = await fetch(chrome.runtime.getURL('.auth.json'));
+    if (resp.ok) {
+      const data = await resp.json();
+      if (data.token) authToken = data.token;
+    }
+  } catch {}
+}
+
 // ─── Health Polling ────────────────────────────────────────────
 
 async function checkHealth() {
@@ -39,13 +52,14 @@ async function checkHealth() {
     return;
   }
 
+  // Retry loading auth token if we don't have one yet
+  if (!authToken) await loadAuthToken();
+
   try {
     const resp = await fetch(`${base}/health`, { signal: AbortSignal.timeout(3000) });
     if (!resp.ok) { setDisconnected(); return; }
     const data = await resp.json();
     if (data.status === 'healthy') {
-      // Capture auth token from health response
-      if (data.token) authToken = data.token;
       // Forward chatEnabled so sidepanel can show/hide chat tab
       setConnected({ ...data, chatEnabled: !!data.chatEnabled });
     } else {
@@ -62,8 +76,8 @@ function setConnected(healthData) {
   chrome.action.setBadgeBackgroundColor({ color: '#F59E0B' });
   chrome.action.setBadgeText({ text: ' ' });
 
-  // Broadcast health to popup and side panel
-  chrome.runtime.sendMessage({ type: 'health', data: healthData }).catch(() => {});
+  // Broadcast health to popup and side panel (include token for sidepanel auth)
+  chrome.runtime.sendMessage({ type: 'health', data: { ...healthData, token: authToken } }).catch(() => {});
 
   // Notify content scripts on connection change
   if (wasDisconnected) {
@@ -74,7 +88,7 @@ function setConnected(healthData) {
 function setDisconnected() {
   const wasConnected = isConnected;
   isConnected = false;
-  authToken = null;
+  // Keep authToken — it comes from .auth.json, not /health
   chrome.action.setBadgeText({ text: '' });
 
   chrome.runtime.sendMessage({ type: 'health', data: null }).catch(() => {});
@@ -128,7 +142,9 @@ async function fetchAndRelayRefs() {
   if (!base || !isConnected) return;
 
   try {
-    const resp = await fetch(`${base}/refs`, { signal: AbortSignal.timeout(3000) });
+    const headers = {};
+    if (authToken) headers['Authorization'] = `Bearer ${authToken}`;
+    const resp = await fetch(`${base}/refs`, { signal: AbortSignal.timeout(3000), headers });
     if (!resp.ok) return;
     const data = await resp.json();
 
@@ -163,10 +179,7 @@ chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => {
     return true;
   }
 
-  if (msg.type === 'getToken') {
-    sendResponse({ token: authToken });
-    return true;
-  }
+  // getToken handler removed — token distributed via health broadcast
 
   if (msg.type === 'fetchRefs') {
     fetchAndRelayRefs().then(() => sendResponse({ ok: true }));
@@ -237,7 +250,10 @@ chrome.runtime.onInstalled.addListener(async () => {
 
 // ─── Startup ────────────────────────────────────────────────────
 
-loadPort().then(() => {
-  checkHealth();
-  healthInterval = setInterval(checkHealth, 10000);
+// Load auth token BEFORE first health poll (token no longer in /health response)
+loadAuthToken().then(() => {
+  loadPort().then(() => {
+    checkHealth();
+    healthInterval = setInterval(checkHealth, 10000);
+  });
 });
diff --git a/extension/content.js b/extension/content.js
index 303545271..3c023f609 100644
--- a/extension/content.js
+++ b/extension/content.js
@@ -103,7 +103,16 @@ function renderRefPanel(refs) {
   for (const ref of refs.slice(0, 30)) { // Show max 30 in panel
     const row = document.createElement('div');
     row.className = 'gstack-ref-panel-row';
-    row.innerHTML = `<span class="gstack-ref-panel-id">${ref.ref}</span> <span class="gstack-ref-panel-role">${ref.role}</span> <span class="gstack-ref-panel-name">"${ref.name}"</span>`;
+    const idSpan = document.createElement('span');
+    idSpan.className = 'gstack-ref-panel-id';
+    idSpan.textContent = ref.ref;
+    const roleSpan = document.createElement('span');
+    roleSpan.className = 'gstack-ref-panel-role';
+    roleSpan.textContent = ref.role;
+    const nameSpan = document.createElement('span');
+    nameSpan.className = 'gstack-ref-panel-name';
+    nameSpan.textContent = '"' + ref.name + '"';
+    row.append(idSpan, document.createTextNode(' '), roleSpan, document.createTextNode(' '), nameSpan);
     list.appendChild(row);
   }
   if (refs.length > 30) {
diff --git a/extension/sidepanel.js b/extension/sidepanel.js
index 9ba7c5a26..2ee3da6b3 100644
--- a/extension/sidepanel.js
+++ b/extension/sidepanel.js
@@ -413,7 +413,7 @@ function createEntryElement(entry) {
   div.innerHTML = `
     <div class="entry-header">
       <span class="entry-time">${formatTime(entry.timestamp)}</span>
-      <span class="entry-command">${entry.command || entry.type}</span>
+      <span class="entry-command">${escapeHtml(entry.command || entry.type)}</span>
     </div>
     ${argsText ? `<div class="entry-args">${escapeHtml(argsText)}</div>` : ''}
     ${entry.type === 'command_end' ? `
@@ -469,7 +469,8 @@ function connectSSE() {
   if (!serverUrl) return;
   if (eventSource) { eventSource.close(); eventSource = null; }
 
-  const url = `${serverUrl}/activity/stream?after=${lastId}`;
+  const tokenParam = serverToken ? `&token=${serverToken}` : '';
+  const url = `${serverUrl}/activity/stream?after=${lastId}${tokenParam}`;
   eventSource = new EventSource(url);
 
   eventSource.addEventListener('activity', (e) => {
@@ -493,7 +494,9 @@ function connectSSE() {
 async function fetchRefs() {
   if (!serverUrl) return;
   try {
-    const resp = await fetch(`${serverUrl}/refs`, { signal: AbortSignal.timeout(3000) });
+    const headers = {};
+    if (serverToken) headers['Authorization'] = `Bearer ${serverToken}`;
+    const resp = await fetch(`${serverUrl}/refs`, { signal: AbortSignal.timeout(3000), headers });
     if (!resp.ok) return;
     const data = await resp.json();
 
@@ -594,10 +597,8 @@ function tryConnect() {
   chrome.runtime.sendMessage({ type: 'getPort' }, (resp) => {
     if (resp && resp.port && resp.connected) {
       const url = `http://127.0.0.1:${resp.port}`;
-      // Get the token from background
-      chrome.runtime.sendMessage({ type: 'getToken' }, (tokenResp) => {
-        updateConnection(url, tokenResp?.token);
-      });
+      // Token arrives via health broadcast from background.js
+      updateConnection(url, null);
     } else {
       setTimeout(tryConnect, 2000);
     }
diff --git a/freeze/bin/check-freeze.sh b/freeze/bin/check-freeze.sh
index ed748e939..825bc227b 100755
--- a/freeze/bin/check-freeze.sh
+++ b/freeze/bin/check-freeze.sh
@@ -51,9 +51,20 @@ esac
 # Normalize: remove double slashes and trailing slash
 FILE_PATH=$(printf '%s' "$FILE_PATH" | sed 's|/\+|/|g;s|/$||')
 
+# Resolve symlinks and .. sequences (POSIX-portable, works on macOS)
+_resolve_path() {
+  local _dir _base
+  _dir="$(dirname "$1")"
+  _base="$(basename "$1")"
+  _dir="$(cd "$_dir" 2>/dev/null && pwd -P || printf '%s' "$_dir")"
+  printf '%s/%s' "$_dir" "$_base"
+}
+FILE_PATH=$(_resolve_path "$FILE_PATH")
+FREEZE_DIR=$(_resolve_path "$FREEZE_DIR")
+
 # Check: does the file path start with the freeze directory?
 case "$FILE_PATH" in
-  "${FREEZE_DIR}"*)
+  "${FREEZE_DIR}/"*|"${FREEZE_DIR}")
     # Inside freeze boundary — allow
     echo '{}'
     ;;
diff --git a/test/telemetry.test.ts b/test/telemetry.test.ts
index 40e6df887..dd63509f6 100644
--- a/test/telemetry.test.ts
+++ b/test/telemetry.test.ts
@@ -212,6 +212,34 @@ describe('gstack-telemetry-log', () => {
     expect(fs.existsSync(analyticsDir)).toBe(true);
     expect(readJsonl()).toHaveLength(1);
   });
+
+  // ─── Telemetry JSON safety: branch/repo with special chars ────
+  test('branch name with quotes does not corrupt JSON', () => {
+    setConfig('telemetry', 'anonymous');
+    // Simulate a branch name with double quotes by setting it via git env override
+    // The json_safe function strips quotes, so the JSONL should remain valid
+    run(`${BIN}/gstack-telemetry-log --skill qa --duration 10 --outcome success --session-id branch-quotes-1`);
+
+    const lines = readJsonl();
+    expect(lines).toHaveLength(1);
+    // Every line must be valid JSON
+    const event = JSON.parse(lines[0]);
+    expect(event._branch).toBeDefined();
+    // _branch should not contain double quotes (json_safe strips them)
+    expect(event._branch).not.toContain('"');
+  });
+
+  test('repo slug with special chars does not corrupt JSON', () => {
+    setConfig('telemetry', 'anonymous');
+    run(`${BIN}/gstack-telemetry-log --skill qa --duration 10 --outcome success --session-id repo-special-1`);
+
+    const lines = readJsonl();
+    expect(lines).toHaveLength(1);
+    const event = JSON.parse(lines[0]);
+    expect(event._repo_slug).toBeDefined();
+    // _repo_slug should not contain double quotes (json_safe strips them)
+    expect(event._repo_slug).not.toContain('"');
+  });
 });
 
 describe('.pending marker', () => {