diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..d14c3a4
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,7 @@
+# Sentinel Journal
+
+This journal records CRITICAL security learnings from the codebase.
+format: `## YYYY-MM-DD - [Title]
+**Vulnerability:** [What you found]
+**Learning:** [Why it existed]
+**Prevention:** [How to avoid next time]`
diff --git a/cron/backup.sh b/cron/backup.sh
index 5d4a660..f46151e 100755
--- a/cron/backup.sh
+++ b/cron/backup.sh
@@ -10,7 +10,7 @@ set -e
 # Paths
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 DOTFILES_DIR="$(dirname "$SCRIPT_DIR")"
-BACKUP_SCRIPT="$DOTFILES_DIR/scripts/backup/backup-projects.sh"
+BACKUP_SCRIPT="$DOTFILES_DIR/tools/backup-projects.sh"
 LOG_DIR="${XDG_STATE_HOME:-$HOME/.local/state}/dotfiles"
 LOG_FILE="$LOG_DIR/backup-cron.log"
 BACKUP_DIR="${XDG_DATA_HOME:-$HOME/.local/share}/dotfiles/backups"
diff --git a/tools/backup-projects.sh b/tools/backup-projects.sh
index 1b7f6d2..623c068 100755
--- a/tools/backup-projects.sh
+++ b/tools/backup-projects.sh
@@ -234,11 +234,10 @@ parse_args() {
 
 # --- Build Exclude Arguments for Zip ---
 build_exclude_args() {
-    local args=()
+    EXCLUDE_ARGS=()
     for pattern in "${EXCLUDE_PATTERNS[@]}"; do
-        args+=("-x" "*/${pattern}/*" "-x" "*/${pattern}")
+        EXCLUDE_ARGS+=("-x" "*/${pattern}/*" "-x" "*/${pattern}")
     done
-    echo "${args[@]}"
 }
 
 # --- Git Sync ---
@@ -351,10 +350,12 @@ cmd_backup() {
     # Setup directories
     if [[ "$DRY_RUN" != true ]]; then
         mkdir -p "$BACKUP_TEMP_DIR"
+        chmod 700 "$BACKUP_TEMP_DIR"
         mkdir -p "$LOG_DIR"
+        chmod 700 "$LOG_DIR"
     else
-        debug "Would create: $BACKUP_TEMP_DIR"
-        debug "Would create: $LOG_DIR"
+        debug "Would create: $BACKUP_TEMP_DIR (mode 700)"
+        debug "Would create: $LOG_DIR (mode 700)"
     fi
 
     # Sync git repositories first
@@ -406,17 +407,15 @@ cmd_backup() {
             done
         fi
     else
-        local exclude_args
-        exclude_args=$(build_exclude_args)
+        build_exclude_args
 
         (
             cd "$HOME" || exit 1
+            umask 077
             if [[ "$VERBOSE" == true ]]; then
-                # shellcheck disable=SC2086
-                zip -r "$archive_path" "${relative_paths[@]}" $exclude_args
+                zip -r "$archive_path" "${relative_paths[@]}" "${EXCLUDE_ARGS[@]}"
             else
-                # shellcheck disable=SC2086
-                zip -r -q "$archive_path" "${relative_paths[@]}" $exclude_args
+                zip -r -q "$archive_path" "${relative_paths[@]}" "${EXCLUDE_ARGS[@]}"
             fi
         )