diff --git a/jest.config.mjs b/jest.config.mjs
index 3cb3583f..a5409725 100644
--- a/jest.config.mjs
+++ b/jest.config.mjs
@@ -16,7 +16,11 @@ export default {
   },
   moduleNameMapper: {
     '^@/(.*)$': '<rootDir>/src/$1',
+    '\\.(css|less|scss|sass)$': '<rootDir>/src/__tests__/__mocks__/styleMock.cjs',
   },
+  transformIgnorePatterns: [
+    '/node_modules/(?!(superjson|copy-anything|is-what|@trpc|@meshsdk|@noble|@sidan-lab|nanoid|jose|uuid)/)',
+  ],
   collectCoverageFrom: [
     'src/**/*.{ts,tsx}',
     '!src/**/*.d.ts',
@@ -28,6 +32,7 @@ export default {
   coverageProvider: 'v8',
   coverageDirectory: 'coverage',
   coverageReporters: ['text', 'lcov', 'html'],
+  setupFiles: ['<rootDir>/src/__tests__/setupEnv.cjs'],
   setupFilesAfterEnv: ['<rootDir>/src/__tests__/setup.ts'],
   testTimeout: 10000,
   verbose: true,
diff --git a/package-lock.json b/package-lock.json
index a7a0c437..9ee7a9b0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,7 +10,6 @@
       "hasInstallScript": true,
       "dependencies": {
         "@auth/prisma-adapter": "^2.11.1",
-        "@hookform/resolvers": "^3.9.0",
         "@jinglescode/nostr-chat-plugin": "^0.0.11",
         "@meshsdk/core": "^1.9.0-beta.87",
         "@meshsdk/core-csl": "^1.9.0-beta.87",
@@ -61,7 +60,6 @@
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-dropzone": "^14.3.5",
-        "react-hook-form": "^7.53.0",
         "react-markdown": "^10.1.0",
         "remark-gfm": "^4.0.1",
         "superjson": "^2.2.1",
@@ -72,7 +70,6 @@
         "three": "^0.168.0",
         "three-globe": "^2.31.1",
         "uuid": "^11.1.0",
-        "yaml": "^2.8.2",
         "zod": "^3.23.8",
         "zustand": "^4.5.5"
       },
@@ -1399,14 +1396,6 @@
         "@harmoniclabs/plutus-data": "^1.2.4"
       }
     },
-    "node_modules/@hookform/resolvers": {
-      "version": "3.10.0",
-      "resolved": "https://registry.npmjs.org/@hookform/resolvers/-/resolvers-3.10.0.tgz",
-      "integrity": "sha512-79Dv+3mDF7i+2ajj7SkypSKHhl1cbln1OGavqrsF7p6mbUv11xpqpacPsGDCTRvCSjEEIez2ef1NveSVL3b0Ag==",
-      "peerDependencies": {
-        "react-hook-form": "^7.0.0"
-      }
-    },
     "node_modules/@humanfs/core": {
       "version": "0.19.1",
       "resolved": "https://registry.npmjs.org/@humanfs/core/-/core-0.19.1.tgz",
@@ -20800,21 +20789,6 @@
         "react": ">= 16.8 || 18.0.0"
       }
     },
-    "node_modules/react-hook-form": {
-      "version": "7.72.0",
-      "resolved": "https://registry.npmjs.org/react-hook-form/-/react-hook-form-7.72.0.tgz",
-      "integrity": "sha512-V4v6jubaf6JAurEaVnT9aUPKFbNtDgohj5CIgVGyPHvT9wRx5OZHVjz31GsxnPNI278XMu+ruFz+wGOscHaLKw==",
-      "engines": {
-        "node": ">=18.0.0"
-      },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/react-hook-form"
-      },
-      "peerDependencies": {
-        "react": "^16.8.0 || ^17 || ^18 || ^19"
-      }
-    },
     "node_modules/react-immutable-proptypes": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/react-immutable-proptypes/-/react-immutable-proptypes-2.2.0.tgz",
@@ -24556,20 +24530,6 @@
       "resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
       "integrity": "sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g=="
     },
-    "node_modules/yaml": {
-      "version": "2.8.3",
-      "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
-      "integrity": "sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==",
-      "bin": {
-        "yaml": "bin.mjs"
-      },
-      "engines": {
-        "node": ">= 14.6"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/eemeli"
-      }
-    },
     "node_modules/yargs": {
       "version": "17.7.2",
       "resolved": "https://registry.npmjs.org/yargs/-/yargs-17.7.2.tgz",
diff --git a/package.json b/package.json
index bc6e55f3..f72acf6f 100644
--- a/package.json
+++ b/package.json
@@ -19,16 +19,15 @@
     "format:check": "prettier --check .",
     "prestart": "prisma migrate deploy",
     "start": "next start",
-    "test": "jest",
-    "test:watch": "jest --watch",
-    "test:coverage": "jest --coverage",
-    "test:ci": "jest --ci --coverage --watchAll=false",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
+    "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch",
+    "test:coverage": "node --experimental-vm-modules node_modules/jest/bin/jest.js --coverage",
+    "test:ci": "node --experimental-vm-modules node_modules/jest/bin/jest.js --ci --coverage --watchAll=false",
     "analyze": "ANALYZE=true npm run build",
     "apply-project": "node scripts/apply-project-to-github.mjs"
   },
   "dependencies": {
     "@auth/prisma-adapter": "^2.11.1",
-    "@hookform/resolvers": "^3.9.0",
     "@jinglescode/nostr-chat-plugin": "^0.0.11",
     "@meshsdk/core": "^1.9.0-beta.87",
     "@meshsdk/core-csl": "^1.9.0-beta.87",
@@ -79,7 +78,6 @@
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-dropzone": "^14.3.5",
-    "react-hook-form": "^7.53.0",
     "react-markdown": "^10.1.0",
     "remark-gfm": "^4.0.1",
     "superjson": "^2.2.1",
@@ -90,7 +88,6 @@
     "three": "^0.168.0",
     "three-globe": "^2.31.1",
     "uuid": "^11.1.0",
-    "yaml": "^2.8.2",
     "zod": "^3.23.8",
     "zustand": "^4.5.5"
   },
diff --git a/prisma/migrations/20260510160404_audit_log_and_indexes/migration.sql b/prisma/migrations/20260510160404_audit_log_and_indexes/migration.sql
new file mode 100644
index 00000000..058fae30
--- /dev/null
+++ b/prisma/migrations/20260510160404_audit_log_and_indexes/migration.sql
@@ -0,0 +1,88 @@
+-- AlterTable
+ALTER TABLE "Ballot" ALTER COLUMN "anchorUrls" SET DEFAULT ARRAY[]::TEXT[],
+ALTER COLUMN "anchorHashes" SET DEFAULT ARRAY[]::TEXT[];
+
+-- CreateTable
+CREATE TABLE "AuditLog" (
+    "id" TEXT NOT NULL,
+    "actorAddress" TEXT,
+    "actorType" TEXT NOT NULL,
+    "action" TEXT NOT NULL,
+    "resourceType" TEXT,
+    "resourceId" TEXT,
+    "ip" TEXT,
+    "userAgent" TEXT,
+    "outcome" TEXT NOT NULL,
+    "reason" TEXT,
+    "metadata" JSONB,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "AuditLog_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "AuditLog_actorAddress_idx" ON "AuditLog"("actorAddress");
+
+-- CreateIndex
+CREATE INDEX "AuditLog_action_idx" ON "AuditLog"("action");
+
+-- CreateIndex
+CREATE INDEX "AuditLog_resourceType_resourceId_idx" ON "AuditLog"("resourceType", "resourceId");
+
+-- CreateIndex
+CREATE INDEX "AuditLog_createdAt_idx" ON "AuditLog"("createdAt");
+
+-- CreateIndex
+CREATE INDEX "AuditLog_actorAddress_createdAt_idx" ON "AuditLog"("actorAddress", "createdAt");
+
+-- CreateIndex
+CREATE INDEX "BalanceSnapshot_walletId_idx" ON "BalanceSnapshot"("walletId");
+
+-- CreateIndex
+CREATE INDEX "BalanceSnapshot_walletId_snapshotDate_idx" ON "BalanceSnapshot"("walletId", "snapshotDate");
+
+-- CreateIndex
+CREATE INDEX "Ballot_walletId_idx" ON "Ballot"("walletId");
+
+-- CreateIndex
+CREATE INDEX "NewWallet_ownerAddress_idx" ON "NewWallet"("ownerAddress");
+
+-- CreateIndex
+CREATE INDEX "NewWallet_signersAddresses_idx" ON "NewWallet" USING GIN ("signersAddresses" array_ops);
+
+-- CreateIndex
+CREATE INDEX "Proxy_walletId_idx" ON "Proxy"("walletId");
+
+-- CreateIndex
+CREATE INDEX "Proxy_userId_idx" ON "Proxy"("userId");
+
+-- CreateIndex
+CREATE INDEX "Proxy_walletId_isActive_idx" ON "Proxy"("walletId", "isActive");
+
+-- CreateIndex
+CREATE INDEX "Proxy_userId_isActive_idx" ON "Proxy"("userId", "isActive");
+
+-- CreateIndex
+CREATE INDEX "Signable_walletId_idx" ON "Signable"("walletId");
+
+-- CreateIndex
+CREATE INDEX "Signable_state_idx" ON "Signable"("state");
+
+-- CreateIndex
+CREATE INDEX "Signable_walletId_state_idx" ON "Signable"("walletId", "state");
+
+-- CreateIndex
+CREATE INDEX "Transaction_walletId_idx" ON "Transaction"("walletId");
+
+-- CreateIndex
+CREATE INDEX "Transaction_state_idx" ON "Transaction"("state");
+
+-- CreateIndex
+CREATE INDEX "Transaction_walletId_state_idx" ON "Transaction"("walletId", "state");
+
+-- CreateIndex
+CREATE INDEX "Wallet_ownerAddress_idx" ON "Wallet"("ownerAddress");
+
+-- CreateIndex
+CREATE INDEX "Wallet_signersAddresses_idx" ON "Wallet" USING GIN ("signersAddresses" array_ops);
+
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index 23d45677..92387e35 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -43,6 +43,9 @@ model Wallet {
   migrationTargetWalletId String?
   profileImageIpfsUrl     String?
   ownerAddress            String?
+
+  @@index([ownerAddress])
+  @@index([signersAddresses(ops: ArrayOps)], type: Gin)
 }
 
 model Transaction {
@@ -77,6 +80,10 @@ model Signable {
   updatedAt         DateTime @updatedAt
   callbackUrl       String?
   remoteOrigin      String?
+
+  @@index([walletId])
+  @@index([state])
+  @@index([walletId, state])
 }
 
 model NewWallet {
@@ -95,6 +102,9 @@ model NewWallet {
   paymentCbor         String?
   stakeCbor           String?
   rawImportBodies     Json?
+
+  @@index([ownerAddress])
+  @@index([signersAddresses(ops: ArrayOps)], type: Gin)
 }
 
 model Nonce {
@@ -105,18 +115,36 @@ model Nonce {
 }
 
 model Ballot {
-  id               String   @id @default(cuid())
-  walletId         String
-  description      String?
-  items            String[]
-  itemDescriptions String[]
-  choices          String[]
-  anchorUrls       String[] @default([])
-  anchorHashes     String[] @default([])
+  id                String   @id @default(cuid())
+  walletId          String
+  description       String?
+  items             String[]
+  itemDescriptions  String[]
+  choices           String[]
+  anchorUrls        String[] @default([])
+  anchorHashes      String[] @default([])
   rationaleComments String[] @default([])
-  type             Int
-  createdAt        DateTime @default(now())
-  updatedAt        DateTime @updatedAt
+  type              Int
+  createdAt         DateTime @default(now())
+  updatedAt         DateTime @default(now()) @updatedAt
+
+  @@index([walletId])
+}
+
+// Retained to preserve the existing production table; feature is currently unused
+// in app code. Do not drop without an explicit data-migration plan.
+model Crowdfund {
+  id                String   @id @default(cuid())
+  name              String
+  description       String?
+  proposerKeyHashR0 String
+  authTokenId       String?
+  datum             String?
+  address           String?
+  paramUtxo         String?
+  govDatum          String?
+  govAddress        String?
+  createdAt         DateTime @default(now())
 }
 
 model Proxy {
@@ -146,6 +174,9 @@ model BalanceSnapshot {
   assetBalances Json
   isArchived    Boolean
   snapshotDate  DateTime @default(now())
+
+  @@index([walletId])
+  @@index([walletId, snapshotDate])
 }
 
 model Migration {
@@ -195,13 +226,13 @@ model BotKey {
 }
 
 model BotUser {
-  id              String   @id @default(cuid())
-  botKeyId        String   @unique
-  paymentAddress  String   @unique // One bot, one address
-  stakeAddress    String?
-  displayName     String?
-  createdAt       DateTime @default(now())
-  botKey          BotKey   @relation(fields: [botKeyId], references: [id], onDelete: Cascade)
+  id             String   @id @default(cuid())
+  botKeyId       String   @unique
+  paymentAddress String   @unique // One bot, one address
+  stakeAddress   String?
+  displayName    String?
+  createdAt      DateTime @default(now())
+  botKey         BotKey   @relation(fields: [botKeyId], references: [id], onDelete: Cascade)
 
   @@index([paymentAddress])
 }
@@ -213,11 +244,11 @@ enum BotWalletRole {
 
 model WalletBotAccess {
   walletId  String
-  botId      String
-  role       BotWalletRole
-  createdAt  DateTime @default(now())
+  botId     String
+  role      BotWalletRole
+  createdAt DateTime      @default(now())
 
-  @@unique([walletId, botId])
+  @@id([walletId, botId])
   @@index([walletId])
   @@index([botId])
 }
@@ -232,10 +263,10 @@ model PendingBot {
   name            String
   paymentAddress  String
   stakeAddress    String?
-  requestedScopes String           // JSON array of requested scopes
+  requestedScopes String // JSON array of requested scopes
   status          PendingBotStatus @default(UNCLAIMED)
-  claimedBy       String?          // ownerAddress of the claiming human
-  secretCipher    String?          // Encrypted secret (set on claim, cleared on pickup)
+  claimedBy       String? // ownerAddress of the claiming human
+  secretCipher    String? // Encrypted secret (set on claim, cleared on pickup)
   pickedUp        Boolean          @default(false)
   expiresAt       DateTime
   createdAt       DateTime         @default(now())
@@ -249,7 +280,7 @@ model BotClaimToken {
   id           String     @id @default(cuid())
   pendingBotId String     @unique
   pendingBot   PendingBot @relation(fields: [pendingBotId], references: [id], onDelete: Cascade)
-  tokenHash    String     // SHA-256 hash of the claim code
+  tokenHash    String // SHA-256 hash of the claim code
   attempts     Int        @default(0)
   expiresAt    DateTime
   consumedAt   DateTime?
@@ -257,3 +288,27 @@ model BotClaimToken {
 
   @@index([tokenHash])
 }
+
+// Append-only security audit trail. Writers should never UPDATE existing rows.
+// Events are emitted from auth flows, wallet/transaction mutations, and
+// privilege-changing actions (bot grants, signer changes, ownership transfers).
+model AuditLog {
+  id           String   @id @default(cuid())
+  actorAddress String? // Wallet address that performed the action (null for system/anonymous)
+  actorType    String // "user" | "bot" | "system"
+  action       String // e.g. "wallet.create", "tx.sign", "bot.grant", "auth.login"
+  resourceType String? // "wallet" | "transaction" | "bot" | "ballot" | etc.
+  resourceId   String?
+  ip           String?
+  userAgent    String?
+  outcome      String // "success" | "denied" | "error"
+  reason       String? // Short reason on denied/error
+  metadata     Json? // Additional context (no secrets, redacted)
+  createdAt    DateTime @default(now())
+
+  @@index([actorAddress])
+  @@index([action])
+  @@index([resourceType, resourceId])
+  @@index([createdAt])
+  @@index([actorAddress, createdAt])
+}
diff --git a/src/__tests__/__mocks__/styleMock.cjs b/src/__tests__/__mocks__/styleMock.cjs
new file mode 100644
index 00000000..f053ebf7
--- /dev/null
+++ b/src/__tests__/__mocks__/styleMock.cjs
@@ -0,0 +1 @@
+module.exports = {};
diff --git a/src/__tests__/apiSecurity.test.ts b/src/__tests__/apiSecurity.test.ts
index 667c6959..891567a8 100644
--- a/src/__tests__/apiSecurity.test.ts
+++ b/src/__tests__/apiSecurity.test.ts
@@ -1,3 +1,4 @@
+import { beforeEach, describe, expect, it, jest } from "@jest/globals";
 import { TRPCError } from "@trpc/server";
 
 import { applyRateLimit, enforceBodySize } from "@/lib/security/requestGuards";
@@ -67,6 +68,8 @@ describe("wallet router authorization", () => {
       db: baseDb as any,
       session: null,
       sessionAddress: null,
+      sessionWallets: [],
+      primaryWallet: null,
       ip: "3.3.3.3",
     });
 
@@ -93,12 +96,14 @@ describe("wallet router authorization", () => {
       isArchived: false,
       verified: [],
       migrationTargetWalletId: null,
-    });
+    } as never);
 
     const caller = createCaller({
       db: baseDb as any,
       session: { user: { id: "addr1" }, expires: new Date().toISOString() } as any,
       sessionAddress: "addr1",
+      sessionWallets: ["addr1"],
+      primaryWallet: "addr1",
       ip: "4.4.4.4",
     });
 
@@ -126,12 +131,14 @@ describe("wallet router authorization", () => {
       verified: [],
       migrationTargetWalletId: null,
     };
-    baseDb.wallet.findUnique.mockResolvedValueOnce(wallet);
+    baseDb.wallet.findUnique.mockResolvedValueOnce(wallet as never);
 
     const caller = createCaller({
       db: baseDb as any,
       session: { user: { id: "addr1" }, expires: new Date().toISOString() } as any,
       sessionAddress: "addr1",
+      sessionWallets: ["addr1"],
+      primaryWallet: "addr1",
       ip: "5.5.5.5",
     });
 
diff --git a/src/__tests__/botBallotsUpsert.test.ts b/src/__tests__/botBallotsUpsert.test.ts
index 1d487b77..b2423af9 100644
--- a/src/__tests__/botBallotsUpsert.test.ts
+++ b/src/__tests__/botBallotsUpsert.test.ts
@@ -6,36 +6,35 @@ const corsMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => Promise<
 const applyRateLimitMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => boolean>();
 const applyBotRateLimitMock = jest.fn<(req: NextApiRequest, res: NextApiResponse, botId: string) => boolean>();
 const enforceBodySizeMock = jest.fn<(req: NextApiRequest, res: NextApiResponse, maxBytes: number) => boolean>();
-const verifyJwtMock = jest.fn();
-const isBotJwtMock = jest.fn();
-const assertBotWalletAccessMock = jest.fn();
-const findBotUserMock = jest.fn();
-const transactionMock = jest.fn();
-const parseScopeMock = jest.fn();
-const scopeIncludesMock = jest.fn();
-const isValidChoiceMock = jest.fn();
-const parseProposalIdMock = jest.fn();
+const verifyJwtMock = jest.fn<(...args: any[]) => any>();
+const isBotJwtMock = jest.fn<(...args: any[]) => any>();
+const assertBotWalletAccessMock = jest.fn<(...args: any[]) => any>();
+const findBotUserMock = jest.fn<(...args: any[]) => any>();
+const transactionMock = jest.fn<(...args: any[]) => any>();
+const parseScopeMock = jest.fn<(...args: any[]) => any>();
+const scopeIncludesMock = jest.fn<(...args: any[]) => any>();
+const isValidChoiceMock = jest.fn<(...args: any[]) => any>();
+const parseProposalIdMock = jest.fn<(...args: any[]) => any>();
 
 const txMock = {
   ballot: {
-    findUnique: jest.fn(),
-    findMany: jest.fn(),
-    create: jest.fn(),
-    updateMany: jest.fn(),
+    findUnique: jest.fn<(...args: any[]) => any>(),
+    findMany: jest.fn<(...args: any[]) => any>(),
+    create: jest.fn<(...args: any[]) => any>(),
+    updateMany: jest.fn<(...args: any[]) => any>(),
   },
 };
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/cors",
   () => ({
     __esModule: true,
     addCorsCacheBustingHeaders: addCorsCacheBustingHeadersMock,
     cors: corsMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/security/requestGuards",
   () => ({
     __esModule: true,
@@ -43,49 +42,44 @@ jest.mock(
     applyBotRateLimit: applyBotRateLimitMock,
     enforceBodySize: enforceBodySizeMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/verifyJwt",
   () => ({
     __esModule: true,
     verifyJwt: verifyJwtMock,
     isBotJwt: isBotJwtMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/governance",
   () => ({
     __esModule: true,
     isValidChoice: isValidChoiceMock,
     parseProposalId: parseProposalIdMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/auth/botKey",
   () => ({
     __esModule: true,
     parseScope: parseScopeMock,
     scopeIncludes: scopeIncludesMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/auth/botAccess",
   () => ({
     __esModule: true,
     assertBotWalletAccess: assertBotWalletAccessMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/server/db",
   () => ({
     __esModule: true,
@@ -96,7 +90,6 @@ jest.mock(
       $transaction: transactionMock,
     },
   }),
-  { virtual: true },
 );
 
 type ResponseMock = NextApiResponse & { statusCode?: number };
diff --git a/src/__tests__/governanceActiveProposals.test.ts b/src/__tests__/governanceActiveProposals.test.ts
index 3fdfb895..7b1558f3 100644
--- a/src/__tests__/governanceActiveProposals.test.ts
+++ b/src/__tests__/governanceActiveProposals.test.ts
@@ -5,64 +5,59 @@ const addCorsCacheBustingHeadersMock = jest.fn<(res: NextApiResponse) => void>()
 const corsMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => Promise<void>>();
 const applyRateLimitMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => boolean>();
 const applyBotRateLimitMock = jest.fn<(req: NextApiRequest, res: NextApiResponse, botId: string) => boolean>();
-const verifyJwtMock = jest.fn();
-const isBotJwtMock = jest.fn();
-const findBotUserMock = jest.fn();
-const providerGetMock = jest.fn();
-const parseScopeMock = jest.fn();
-const scopeIncludesMock = jest.fn();
-const getProposalStatusMock = jest.fn();
-
-jest.mock(
+const verifyJwtMock = jest.fn<(...args: any[]) => any>();
+const isBotJwtMock = jest.fn<(...args: any[]) => any>();
+const findBotUserMock = jest.fn<(...args: any[]) => any>();
+const providerGetMock = jest.fn<(...args: any[]) => any>();
+const parseScopeMock = jest.fn<(...args: any[]) => any>();
+const scopeIncludesMock = jest.fn<(...args: any[]) => any>();
+const getProposalStatusMock = jest.fn<(...args: any[]) => any>();
+
+jest.unstable_mockModule(
   "@/lib/cors",
   () => ({
     __esModule: true,
     addCorsCacheBustingHeaders: addCorsCacheBustingHeadersMock,
     cors: corsMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/security/requestGuards",
   () => ({
     __esModule: true,
     applyRateLimit: applyRateLimitMock,
     applyBotRateLimit: applyBotRateLimitMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/verifyJwt",
   () => ({
     __esModule: true,
     verifyJwt: verifyJwtMock,
     isBotJwt: isBotJwtMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/governance",
   () => ({
     __esModule: true,
     getProposalStatus: getProposalStatusMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/lib/auth/botKey",
   () => ({
     __esModule: true,
     parseScope: parseScopeMock,
     scopeIncludes: scopeIncludesMock,
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/server/db",
   () => ({
     __esModule: true,
@@ -72,10 +67,9 @@ jest.mock(
       },
     },
   }),
-  { virtual: true },
 );
 
-jest.mock(
+jest.unstable_mockModule(
   "@/utils/get-provider",
   () => ({
     __esModule: true,
@@ -83,7 +77,6 @@ jest.mock(
       get: providerGetMock,
     }),
   }),
-  { virtual: true },
 );
 
 type ResponseMock = NextApiResponse & { statusCode?: number };
@@ -214,7 +207,7 @@ describe("governanceActiveProposals API", () => {
     await handler(req, res);
 
     expect(res.status).toHaveBeenCalledWith(200);
-    const payload = res.json.mock.calls[0]?.[0] as any;
+    const payload = (res.json as unknown as jest.Mock).mock.calls[0]?.[0] as any;
     expect(Array.isArray(payload.proposals)).toBe(true);
     expect(payload.proposals).toHaveLength(1);
     expect(payload.proposals[0]).toMatchObject({
diff --git a/src/__tests__/multisigSDK.test.ts b/src/__tests__/multisigSDK.test.ts
index dbef91da..487e8cc9 100644
--- a/src/__tests__/multisigSDK.test.ts
+++ b/src/__tests__/multisigSDK.test.ts
@@ -39,9 +39,9 @@ describe('MultisigWallet', () => {
       ];
       
       const testWallet = new MultisigWallet('Test', unsortedKeys);
-      expect(testWallet.keys[0].keyHash).toBe('aaaa');
-      expect(testWallet.keys[1].keyHash).toBe('mmmm');
-      expect(testWallet.keys[2].keyHash).toBe('zzzz');
+      expect(testWallet.keys[0]!.keyHash).toBe('aaaa');
+      expect(testWallet.keys[1]!.keyHash).toBe('mmmm');
+      expect(testWallet.keys[2]!.keyHash).toBe('zzzz');
     });
 
     it('should filter out invalid keys', () => {
@@ -54,7 +54,7 @@ describe('MultisigWallet', () => {
 
       const testWallet = new MultisigWallet('Test', keysWithInvalid);
       expect(testWallet.keys).toHaveLength(1);
-      expect(testWallet.keys[0].keyHash).toBe(mockKeyHashes.payment1);
+      expect(testWallet.keys[0]!.keyHash).toBe(mockKeyHashes.payment1);
     });
 
     it('should use default values when optional parameters are not provided', () => {
@@ -86,7 +86,7 @@ describe('MultisigWallet', () => {
     it('should return drep keys (role 3)', () => {
       const drepKeys = wallet.getKeysByRole(3);
       expect(drepKeys).toHaveLength(1);
-      expect(drepKeys?.[0].role).toBe(3);
+      expect(drepKeys?.[0]!.role).toBe(3);
     });
 
     it('should return undefined for non-existent role', () => {
diff --git a/src/__tests__/og.test.ts b/src/__tests__/og.test.ts
new file mode 100644
index 00000000..afa0a471
--- /dev/null
+++ b/src/__tests__/og.test.ts
@@ -0,0 +1,169 @@
+import { describe, expect, it, jest, beforeEach, afterEach } from "@jest/globals";
+import type { NextApiRequest, NextApiResponse } from "next";
+
+// SSRF tripwire suite for /api/v1/og
+//
+// The handler must reject:
+//   - non-https URLs
+//   - hosts not on the allowlist
+//   - hosts that resolve to private / loopback / link-local addresses
+//   - upstream redirects (no auto-follow)
+//
+// The most important regression is the IMDS URL case:
+//   http://169.254.169.254/latest/meta-data/  (AWS instance metadata)
+// — historically the canonical SSRF target. If this ever returns 200, an
+// attacker who can hit our public OG endpoint can pivot into cloud metadata.
+
+const dnsLookupMock = jest.fn() as jest.MockedFunction<
+  (host: string, opts?: unknown) => Promise<Array<{ address: string; family: number }>>
+>;
+
+jest.unstable_mockModule("dns", () => ({
+  __esModule: true,
+  default: { promises: { lookup: dnsLookupMock } },
+  promises: { lookup: dnsLookupMock },
+}));
+
+const envState: { OG_ALLOWED_HOSTS?: string } = {};
+jest.unstable_mockModule("@/env", () => ({
+  __esModule: true,
+  env: new Proxy({}, {
+    get(_t, key: string) {
+      if (key === "OG_ALLOWED_HOSTS") return envState.OG_ALLOWED_HOSTS;
+      return undefined;
+    },
+  }),
+}));
+
+const fetchMock = jest.fn() as jest.MockedFunction<typeof fetch>;
+const realFetch = global.fetch;
+
+function makeRes() {
+  const status = jest.fn();
+  const json = jest.fn();
+  const setHeader = jest.fn();
+  const res = {
+    status: status.mockImplementation(() => res),
+    json: json.mockImplementation(() => res),
+    setHeader,
+  } as unknown as NextApiResponse;
+  return { res, status, json };
+}
+
+function makeReq(url: string | undefined): NextApiRequest {
+  return {
+    query: url === undefined ? {} : { url },
+    method: "GET",
+    headers: {},
+  } as unknown as NextApiRequest;
+}
+
+const handlerPromise = import("../pages/api/v1/og");
+
+beforeEach(() => {
+  dnsLookupMock.mockReset();
+  fetchMock.mockReset();
+  global.fetch = fetchMock as unknown as typeof fetch;
+  envState.OG_ALLOWED_HOSTS = undefined;
+});
+
+afterEach(() => {
+  global.fetch = realFetch;
+});
+
+describe("og handler — SSRF defense", () => {
+  it("rejects missing url with 400", async () => {
+    const { default: handler } = await handlerPromise;
+    const { res, status, json } = makeRes();
+    await handler(makeReq(undefined), res);
+    expect(status).toHaveBeenCalledWith(400);
+    expect(json).toHaveBeenCalledWith(expect.objectContaining({ error: expect.stringMatching(/missing/i) }));
+  });
+
+  it("rejects http:// URLs with 400", async () => {
+    const { default: handler } = await handlerPromise;
+    const { res, status } = makeRes();
+    await handler(makeReq("http://github.com/example"), res);
+    expect(status).toHaveBeenCalledWith(400);
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("rejects IMDS URL (http://169.254.169.254/...) — TRIPWIRE", async () => {
+    // This test is the one we never let regress. AWS instance metadata URL.
+    // Even if someone allowlists `*` for OG_ALLOWED_HOSTS, the http:// scheme
+    // check rejects this immediately. No DNS lookup, no fetch.
+    const { default: handler } = await handlerPromise;
+    const { res, status } = makeRes();
+    await handler(makeReq("http://169.254.169.254/latest/meta-data/"), res);
+    expect(status).toHaveBeenCalledWith(400);
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("rejects https IMDS-style URL when wildcard hosts but private IP", async () => {
+    // Even with OG_ALLOWED_HOSTS=*, the DNS / address-class check must reject
+    // direct private-IP literals, including the link-local 169.254.0.0/16.
+    envState.OG_ALLOWED_HOSTS = "*";
+    const { default: handler } = await handlerPromise;
+    const { res, status, json } = makeRes();
+    await handler(makeReq("https://169.254.169.254/"), res);
+    expect(status).toHaveBeenCalledWith(400);
+    expect(json).toHaveBeenCalledWith(expect.objectContaining({ error: expect.stringMatching(/private|loopback/i) }));
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("rejects host not on the allowlist with 400", async () => {
+    envState.OG_ALLOWED_HOSTS = "github.com,x.com";
+    const { default: handler } = await handlerPromise;
+    const { res, status } = makeRes();
+    await handler(makeReq("https://evil.example.com/"), res);
+    expect(status).toHaveBeenCalledWith(400);
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("rejects when DNS resolves to an RFC1918 address", async () => {
+    envState.OG_ALLOWED_HOSTS = "internal.example.com";
+    dnsLookupMock.mockResolvedValueOnce([{ address: "10.0.0.5", family: 4 }]);
+    const { default: handler } = await handlerPromise;
+    const { res, status, json } = makeRes();
+    await handler(makeReq("https://internal.example.com/"), res);
+    expect(status).toHaveBeenCalledWith(400);
+    expect(json).toHaveBeenCalledWith(expect.objectContaining({ error: expect.stringMatching(/private|loopback/i) }));
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+
+  it("rejects when upstream returns a redirect (no auto-follow)", async () => {
+    envState.OG_ALLOWED_HOSTS = "github.com";
+    dnsLookupMock.mockResolvedValueOnce([{ address: "140.82.114.4", family: 4 }]);
+    fetchMock.mockResolvedValueOnce(
+      new Response(null, { status: 302, headers: { location: "http://169.254.169.254/" } }),
+    );
+    const { default: handler } = await handlerPromise;
+    const { res, status } = makeRes();
+    await handler(makeReq("https://github.com/example"), res);
+    expect(status).toHaveBeenCalledWith(500);
+  });
+
+  it("returns 200 with extracted OG metadata for an allowlisted public host", async () => {
+    envState.OG_ALLOWED_HOSTS = "example.com";
+    dnsLookupMock.mockResolvedValueOnce([{ address: "93.184.216.34", family: 4 }]);
+    const html = `<html><head>
+      <meta property="og:title" content="Hello"/>
+      <meta property="og:description" content="World"/>
+      <meta property="og:image" content="https://example.com/img.png"/>
+      <meta property="og:site_name" content="Example"/>
+    </head></html>`;
+    fetchMock.mockResolvedValueOnce(new Response(html, { status: 200 }));
+    const { default: handler } = await handlerPromise;
+    const { res, status, json } = makeRes();
+    await handler(makeReq("https://example.com/page"), res);
+    expect(status).toHaveBeenCalledWith(200);
+    expect(json).toHaveBeenCalledWith(
+      expect.objectContaining({
+        title: "Hello",
+        description: "World",
+        image: "https://example.com/img.png",
+        siteName: "Example",
+      }),
+    );
+  });
+});
diff --git a/src/__tests__/pendingTransactions.test.ts b/src/__tests__/pendingTransactions.test.ts
index bfa54ab8..bef748cc 100644
--- a/src/__tests__/pendingTransactions.test.ts
+++ b/src/__tests__/pendingTransactions.test.ts
@@ -4,47 +4,73 @@ import type { NextApiRequest, NextApiResponse } from 'next';
 const addCorsCacheBustingHeadersMock = jest.fn<(res: NextApiResponse) => void>();
 const corsMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => Promise<void>>();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/lib/cors',
   () => ({
     __esModule: true,
     addCorsCacheBustingHeaders: addCorsCacheBustingHeadersMock,
     cors: corsMock,
   }),
-  { virtual: true },
 );
 
-const verifyJwtMock = jest.fn<(token: string | undefined) => { address: string } | null>();
+type JwtPayloadLike = { address: string; botId?: string; type?: string };
+const verifyJwtMock = jest.fn<(token: string | undefined) => JwtPayloadLike | null>();
+const isBotJwtMock = jest.fn<(payload: JwtPayloadLike) => boolean>(
+  (payload) => Boolean(payload && (payload as JwtPayloadLike).type === "bot"),
+);
 
-jest.mock(
+jest.unstable_mockModule(
   '@/lib/verifyJwt',
   () => ({
     __esModule: true,
     verifyJwt: verifyJwtMock,
+    isBotJwt: isBotJwtMock,
+  }),
+);
+
+const applyRateLimitMock = jest.fn<
+  (req: NextApiRequest, res: NextApiResponse, options?: unknown) => boolean
+>(() => true);
+const applyBotRateLimitMock = jest.fn<
+  (req: NextApiRequest, res: NextApiResponse, botId: string, maxRequests?: number) => boolean
+>(() => true);
+const applyStrictRateLimitMock = jest.fn<
+  (req: NextApiRequest, res: NextApiResponse, options?: unknown) => boolean
+>(() => true);
+const enforceBodySizeMock = jest.fn<
+  (req: NextApiRequest, res: NextApiResponse, maxBytes: number) => boolean
+>(() => true);
+
+jest.unstable_mockModule(
+  '@/lib/security/requestGuards',
+  () => ({
+    __esModule: true,
+    applyRateLimit: applyRateLimitMock,
+    applyBotRateLimit: applyBotRateLimitMock,
+    applyStrictRateLimit: applyStrictRateLimitMock,
+    enforceBodySize: enforceBodySizeMock,
+    isBodyTooLarge: jest.fn(() => false),
   }),
-  { virtual: true },
 );
 
 const createCallerMock = jest.fn();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/server/api/root',
   () => ({
     __esModule: true,
     createCaller: createCallerMock,
   }),
-  { virtual: true },
 );
 
 const dbMock = { __type: 'dbMock' };
 
-jest.mock(
+jest.unstable_mockModule(
   '@/server/db',
   () => ({
     __esModule: true,
     db: dbMock,
   }),
-  { virtual: true },
 );
 
 type ResponseMock = NextApiResponse & { statusCode?: number };
@@ -164,13 +190,16 @@ describe('pendingTransactions API route', () => {
     expect(addCorsCacheBustingHeadersMock).toHaveBeenCalledWith(res);
     expect(corsMock).toHaveBeenCalledWith(req, res);
     expect(verifyJwtMock).toHaveBeenCalledWith(token);
-    expect(createCallerMock).toHaveBeenCalledWith({
-      db: dbMock,
-      session: expect.objectContaining({
-        user: { id: address },
-        expires: expect.any(String),
+    expect(createCallerMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        db: dbMock,
+        session: expect.objectContaining({
+          user: { id: address },
+          expires: expect.any(String),
+        }),
+        sessionAddress: address,
       }),
-    });
+    );
     expect(walletGetWalletMock).toHaveBeenCalledWith({ walletId, address });
     expect(transactionGetPendingTransactionsMock).toHaveBeenCalledWith({ walletId });
     expect(res.status).toHaveBeenCalledWith(200);
diff --git a/src/__tests__/setup.ts b/src/__tests__/setup.ts
index 8c3f3826..d9260246 100644
--- a/src/__tests__/setup.ts
+++ b/src/__tests__/setup.ts
@@ -1,5 +1,5 @@
 // Test setup file for Jest
-import '@jest/globals';
+import { jest, beforeEach, afterEach } from '@jest/globals';
 
 // Mock console methods to reduce noise in tests
 global.console = {
@@ -14,3 +14,34 @@ global.console = {
 
 // Global test timeout
 jest.setTimeout(10000);
+
+// Determinism: freeze the wall clock (`Date.now` / `new Date()`) so tests are
+// byte-identical across runs. Timer APIs (setTimeout/setInterval/etc) stay
+// real — many tests in this suite hit tRPC's timing middleware and other
+// real-async paths that hang under faked timers. Tests that specifically
+// exercise timer behavior can opt in via `jest.useFakeTimers()` in `beforeAll`.
+beforeEach(() => {
+  jest.useFakeTimers({
+    now: new Date('2026-01-01T00:00:00Z'),
+    doNotFake: [
+      'nextTick',
+      'setImmediate',
+      'clearImmediate',
+      'queueMicrotask',
+      'setTimeout',
+      'clearTimeout',
+      'setInterval',
+      'clearInterval',
+      'requestAnimationFrame',
+      'cancelAnimationFrame',
+      'requestIdleCallback',
+      'cancelIdleCallback',
+      'hrtime',
+      'performance',
+    ],
+  });
+});
+
+afterEach(() => {
+  jest.useRealTimers();
+});
diff --git a/src/__tests__/setupEnv.cjs b/src/__tests__/setupEnv.cjs
new file mode 100644
index 00000000..1314d88b
--- /dev/null
+++ b/src/__tests__/setupEnv.cjs
@@ -0,0 +1,21 @@
+// @ts-nocheck — env bootstrap; checkJs flags `NODE_ENV` as read-only
+// because @types/node narrows it to a literal union, but writing it here
+// is intentional and safe (runs before any test module is imported).
+//
+// Sets dummy env vars so that `src/env.js` (t3-oss validate) does not throw
+// when test files import server modules transitively.
+// Tests that need real values can override per-test with `process.env.X = ...`
+// inside `beforeEach`.
+
+process.env['NODE_ENV'] = process.env['NODE_ENV'] || 'test';
+process.env.SKIP_ENV_VALIDATION = '1';
+
+process.env.DATABASE_URL = process.env.DATABASE_URL || 'postgresql://test:test@localhost:5432/test';
+process.env.JWT_SECRET = process.env.JWT_SECRET || 'a'.repeat(48);
+process.env.PINATA_JWT = process.env.PINATA_JWT || 'test-pinata-jwt';
+
+process.env.NEXT_PUBLIC_BLOCKFROST_API_KEY_MAINNET =
+  process.env.NEXT_PUBLIC_BLOCKFROST_API_KEY_MAINNET || 'test-blockfrost-mainnet';
+process.env.NEXT_PUBLIC_BLOCKFROST_API_KEY_PREPROD =
+  process.env.NEXT_PUBLIC_BLOCKFROST_API_KEY_PREPROD || 'test-blockfrost-preprod';
+process.env.NEXT_PUBLIC_NETWORK_ID = process.env.NEXT_PUBLIC_NETWORK_ID || '0';
diff --git a/src/__tests__/signTransaction.test.ts b/src/__tests__/signTransaction.test.ts
index f4b2e873..41167d64 100644
--- a/src/__tests__/signTransaction.test.ts
+++ b/src/__tests__/signTransaction.test.ts
@@ -4,64 +4,73 @@ import type { NextApiRequest, NextApiResponse } from 'next';
 const addCorsCacheBustingHeadersMock = jest.fn<(res: NextApiResponse) => void>();
 const corsMock = jest.fn<(req: NextApiRequest, res: NextApiResponse) => Promise<void>>();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/lib/cors',
   () => ({
     __esModule: true,
     addCorsCacheBustingHeaders: addCorsCacheBustingHeadersMock,
     cors: corsMock,
   }),
-  { virtual: true },
 );
 
-const verifyJwtMock = jest.fn<(token: string | undefined) => { address: string } | null>();
+type JwtPayloadLike = { address: string; botId?: string; type?: string };
+const verifyJwtMock = jest.fn<(token: string | undefined) => JwtPayloadLike | null>();
+const isBotJwtMock = jest.fn<(payload: JwtPayloadLike) => boolean>(
+  (payload) => Boolean(payload && (payload as JwtPayloadLike).type === "bot"),
+);
 
-jest.mock(
+jest.unstable_mockModule(
   '@/lib/verifyJwt',
   () => ({
     __esModule: true,
     verifyJwt: verifyJwtMock,
+    isBotJwt: isBotJwtMock,
   }),
-  { virtual: true },
 );
 
 const applyRateLimitMock = jest.fn<
   (req: NextApiRequest, res: NextApiResponse, options?: unknown) => boolean
 >();
+const applyStrictRateLimitMock = jest.fn<
+  (req: NextApiRequest, res: NextApiResponse, options?: unknown) => boolean
+>();
+const applyBotRateLimitMock = jest.fn<
+  (req: NextApiRequest, res: NextApiResponse, botId: string, maxRequests?: number) => boolean
+>();
 const enforceBodySizeMock = jest.fn<
   (req: NextApiRequest, res: NextApiResponse, maxBytes: number) => boolean
 >();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/lib/security/requestGuards',
   () => ({
     __esModule: true,
     applyRateLimit: applyRateLimitMock,
+    applyStrictRateLimit: applyStrictRateLimitMock,
+    applyBotRateLimit: applyBotRateLimitMock,
     enforceBodySize: enforceBodySizeMock,
+    isBodyTooLarge: jest.fn(() => false),
   }),
-  { virtual: true },
 );
 
 const getClientIPMock = jest.fn<(req: NextApiRequest) => string>();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/lib/security/rateLimit',
   () => ({
     __esModule: true,
     getClientIP: getClientIPMock,
   }),
-  { virtual: true },
 );
 
 const createCallerMock = jest.fn();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/server/api/root',
   () => ({
     __esModule: true,
     createCaller: createCallerMock,
   }),
-  { virtual: true },
 );
 
 const dbTransactionFindUniqueMock = jest.fn<(args: unknown) => Promise<unknown>>();
@@ -79,35 +88,32 @@ const dbMock = {
   },
 };
 
-jest.mock(
+jest.unstable_mockModule(
   '@/server/db',
   () => ({
     __esModule: true,
     db: dbMock,
   }),
-  { virtual: true },
 );
 
 const getProviderMock = jest.fn<(network: number) => unknown>();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/utils/get-provider',
   () => ({
     __esModule: true,
     getProvider: getProviderMock,
   }),
-  { virtual: true },
 );
 
 const addressToNetworkMock = jest.fn<(address: string) => number>();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/utils/multisigSDK',
   () => ({
     __esModule: true,
     addressToNetwork: addressToNetworkMock,
   }),
-  { virtual: true },
 );
 
 const shouldSubmitMultisigTxMock = jest.fn<
@@ -132,7 +138,7 @@ const addUniqueVkeyWitnessToTxMock = jest.fn<
   }
 >();
 
-jest.mock(
+jest.unstable_mockModule(
   '@/utils/txSignUtils',
   () => ({
     __esModule: true,
@@ -141,18 +147,16 @@ jest.mock(
     shouldSubmitMultisigTx: shouldSubmitMultisigTxMock,
     submitTxWithScriptRecovery: submitTxWithScriptRecoveryMock,
   }),
-  { virtual: true },
 );
 
 const resolvePaymentKeyHashMock = jest.fn<(address: string) => string>();
 
-jest.mock(
+jest.unstable_mockModule(
   '@meshsdk/core',
   () => ({
     __esModule: true,
     resolvePaymentKeyHash: resolvePaymentKeyHashMock,
   }),
-  { virtual: true },
 );
 
 const witnessKeyHashHex = '00112233';
@@ -355,14 +359,13 @@ const cslMock = {
   Vkeywitnesses: MockVkeywitnesses,
 };
 
-jest.mock(
+jest.unstable_mockModule(
   '@meshsdk/core-csl',
   () => ({
     __esModule: true,
     csl: cslMock,
     calculateTxHash: calculateTxHashMock,
   }),
-  { virtual: true },
 );
 
 const consoleErrorSpy = jest
@@ -420,7 +423,15 @@ beforeEach(() => {
   addCorsCacheBustingHeadersMock.mockReset();
   createCallerMock.mockReset();
   verifyJwtMock.mockReset();
+  isBotJwtMock.mockReset();
+  isBotJwtMock.mockImplementation(
+    (payload) => Boolean(payload && (payload as JwtPayloadLike).type === "bot"),
+  );
   applyRateLimitMock.mockReset();
+  applyStrictRateLimitMock.mockReset();
+  applyBotRateLimitMock.mockReset();
+  applyBotRateLimitMock.mockReturnValue(true);
+  applyStrictRateLimitMock.mockReturnValue(true);
   enforceBodySizeMock.mockReset();
   getClientIPMock.mockReset();
 
@@ -456,7 +467,7 @@ beforeEach(() => {
     for (let i = 0; i < existingWitnessCount; i++) {
       const existingWitness = mergedWitnesses.get(i);
       const existingKeyHash = Buffer.from(
-        existingWitness.vkey().public_key().hash().to_bytes(),
+        existingWitness!.vkey().public_key().hash().to_bytes(),
       ).toString('hex').toLowerCase();
 
       if (existingKeyHash === incomingKeyHash) {
diff --git a/src/__tests__/signing.test.ts b/src/__tests__/signing.test.ts
new file mode 100644
index 00000000..81d46b3d
--- /dev/null
+++ b/src/__tests__/signing.test.ts
@@ -0,0 +1,107 @@
+import fs from "fs";
+import path from "path";
+import { fileURLToPath } from "url";
+import { describe, expect, it, jest } from "@jest/globals";
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+// ---------------------------------------------------------------------------
+// Tripwire: the "broken" pattern — `return true ? signature : undefined;`
+// must never reappear in `src/utils/signing.ts`. It both throws away the
+// `checkSignature` result and obscures the actual signing contract. The
+// regression we fixed here was that a failed signature verification still
+// returned a (forged-looking) signature to the caller because the ternary
+// was always truthy.
+// ---------------------------------------------------------------------------
+describe("signing.ts source contract", () => {
+  it("never returns the always-true ternary on the verification result", () => {
+    const src = fs.readFileSync(
+      path.resolve(__dirname, "../utils/signing.ts"),
+      "utf8",
+    );
+    expect(src).not.toMatch(/return\s+true\s*\?/);
+    // Positive: the verified result must drive an explicit `if (!verified)`
+    // throw. The exact identifier we use is `verified` — accept either name
+    // so a future rename doesn't trip the tripwire.
+    expect(src).toMatch(/if\s*\(\s*!\s*(verified|result)\b/);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Behavioural: import the real `sign` and exercise every role plus the
+// failure path. We mock the @meshsdk/core helpers because they pull in
+// CSL/serialization which is heavyweight for a unit test.
+// ---------------------------------------------------------------------------
+const checkSignatureMock = jest.fn<
+  (nonce: string, signature: { signature: string; key: string }, address?: string) => Promise<boolean>
+>();
+const generateNonceMock = jest.fn<(payload: string) => string>();
+
+jest.unstable_mockModule("@meshsdk/core", () => ({
+  __esModule: true,
+  checkSignature: checkSignatureMock,
+  generateNonce: generateNonceMock,
+}));
+
+const { sign } = await import("../utils/signing");
+
+type MockWallet = {
+  signData: jest.Mock<(payload: string, address?: string) => Promise<{ signature: string; key: string }>>;
+  getRewardAddresses: jest.Mock<() => Promise<string[]>>;
+};
+
+function createWallet(overrides?: Partial<MockWallet>): MockWallet {
+  return {
+    signData: jest.fn<(payload: string, address?: string) => Promise<{ signature: string; key: string }>>(
+      async () => ({ signature: "deadbeef", key: "cafe" }),
+    ),
+    getRewardAddresses: jest.fn<() => Promise<string[]>>(async () => ["stake_addr"]),
+    ...overrides,
+  } as MockWallet;
+}
+
+describe("sign", () => {
+  beforeEach(() => {
+    checkSignatureMock.mockReset();
+    generateNonceMock.mockReset();
+    generateNonceMock.mockReturnValue("nonce-payload");
+  });
+
+  it("role=0 signs with the user payment address and returns the signature", async () => {
+    checkSignatureMock.mockResolvedValueOnce(true);
+    const wallet = createWallet();
+    const sig = await sign("payload", wallet as never, 0, "addr_test_user");
+    expect(sig).toEqual({ signature: "deadbeef", key: "cafe" });
+    expect(wallet.signData).toHaveBeenCalledWith("payload", "addr_test_user");
+  });
+
+  it("role=2 signs with the wallet's reward (stake) address", async () => {
+    checkSignatureMock.mockResolvedValueOnce(true);
+    const wallet = createWallet();
+    await sign("payload", wallet as never, 2);
+    expect(wallet.getRewardAddresses).toHaveBeenCalled();
+    expect(wallet.signData).toHaveBeenCalledWith("payload", "stake_addr");
+  });
+
+  it("role=3 requires an explicit dRepAddress and uses it", async () => {
+    checkSignatureMock.mockResolvedValueOnce(true);
+    const wallet = createWallet();
+    await sign("payload", wallet as never, 3, undefined, "drep_xxx");
+    expect(wallet.signData).toHaveBeenCalledWith("payload", "drep_xxx");
+  });
+
+  it("throws when the chosen role has no resolved address", async () => {
+    const wallet = createWallet();
+    await expect(sign("payload", wallet as never, 0, undefined)).rejects.toThrow(
+      /missing address/i,
+    );
+  });
+
+  it("throws when checkSignature returns false (no silent ternary fallback)", async () => {
+    checkSignatureMock.mockResolvedValueOnce(false);
+    const wallet = createWallet();
+    await expect(sign("payload", wallet as never, 0, "addr_test_user")).rejects.toThrow(
+      /Signature failed verification/i,
+    );
+  });
+});
diff --git a/src/components/ui/form.tsx b/src/components/ui/form.tsx
deleted file mode 100644
index f6afdaf2..00000000
--- a/src/components/ui/form.tsx
+++ /dev/null
@@ -1,176 +0,0 @@
-import * as React from "react"
-import * as LabelPrimitive from "@radix-ui/react-label"
-import { Slot } from "@radix-ui/react-slot"
-import {
-  Controller,
-  ControllerProps,
-  FieldPath,
-  FieldValues,
-  FormProvider,
-  useFormContext,
-} from "react-hook-form"
-
-import { cn } from "@/lib/utils"
-import { Label } from "@/components/ui/label"
-
-const Form = FormProvider
-
-type FormFieldContextValue<
-  TFieldValues extends FieldValues = FieldValues,
-  TName extends FieldPath<TFieldValues> = FieldPath<TFieldValues>
-> = {
-  name: TName
-}
-
-const FormFieldContext = React.createContext<FormFieldContextValue>(
-  {} as FormFieldContextValue
-)
-
-const FormField = <
-  TFieldValues extends FieldValues = FieldValues,
-  TName extends FieldPath<TFieldValues> = FieldPath<TFieldValues>
->({
-  ...props
-}: ControllerProps<TFieldValues, TName>) => {
-  return (
-    <FormFieldContext.Provider value={{ name: props.name }}>
-      <Controller {...props} />
-    </FormFieldContext.Provider>
-  )
-}
-
-const useFormField = () => {
-  const fieldContext = React.useContext(FormFieldContext)
-  const itemContext = React.useContext(FormItemContext)
-  const { getFieldState, formState } = useFormContext()
-
-  const fieldState = getFieldState(fieldContext.name, formState)
-
-  if (!fieldContext) {
-    throw new Error("useFormField should be used within <FormField>")
-  }
-
-  const { id } = itemContext
-
-  return {
-    id,
-    name: fieldContext.name,
-    formItemId: `${id}-form-item`,
-    formDescriptionId: `${id}-form-item-description`,
-    formMessageId: `${id}-form-item-message`,
-    ...fieldState,
-  }
-}
-
-type FormItemContextValue = {
-  id: string
-}
-
-const FormItemContext = React.createContext<FormItemContextValue>(
-  {} as FormItemContextValue
-)
-
-const FormItem = React.forwardRef<
-  HTMLDivElement,
-  React.HTMLAttributes<HTMLDivElement>
->(({ className, ...props }, ref) => {
-  const id = React.useId()
-
-  return (
-    <FormItemContext.Provider value={{ id }}>
-      <div ref={ref} className={cn("space-y-2", className)} {...props} />
-    </FormItemContext.Provider>
-  )
-})
-FormItem.displayName = "FormItem"
-
-const FormLabel = React.forwardRef<
-  React.ElementRef<typeof LabelPrimitive.Root>,
-  React.ComponentPropsWithoutRef<typeof LabelPrimitive.Root>
->(({ className, ...props }, ref) => {
-  const { error, formItemId } = useFormField()
-
-  return (
-    <Label
-      ref={ref}
-      className={cn(error && "text-destructive", className)}
-      htmlFor={formItemId}
-      {...props}
-    />
-  )
-})
-FormLabel.displayName = "FormLabel"
-
-const FormControl = React.forwardRef<
-  React.ElementRef<typeof Slot>,
-  React.ComponentPropsWithoutRef<typeof Slot>
->(({ ...props }, ref) => {
-  const { error, formItemId, formDescriptionId, formMessageId } = useFormField()
-
-  return (
-    <Slot
-      ref={ref}
-      id={formItemId}
-      aria-describedby={
-        !error
-          ? `${formDescriptionId}`
-          : `${formDescriptionId} ${formMessageId}`
-      }
-      aria-invalid={!!error}
-      {...props}
-    />
-  )
-})
-FormControl.displayName = "FormControl"
-
-const FormDescription = React.forwardRef<
-  HTMLParagraphElement,
-  React.HTMLAttributes<HTMLParagraphElement>
->(({ className, ...props }, ref) => {
-  const { formDescriptionId } = useFormField()
-
-  return (
-    <p
-      ref={ref}
-      id={formDescriptionId}
-      className={cn("text-[0.8rem] text-muted-foreground", className)}
-      {...props}
-    />
-  )
-})
-FormDescription.displayName = "FormDescription"
-
-const FormMessage = React.forwardRef<
-  HTMLParagraphElement,
-  React.HTMLAttributes<HTMLParagraphElement>
->(({ className, children, ...props }, ref) => {
-  const { error, formMessageId } = useFormField()
-  const body = error ? String(error?.message) : children
-
-  if (!body) {
-    return null
-  }
-
-  return (
-    <p
-      ref={ref}
-      id={formMessageId}
-      className={cn("text-[0.8rem] font-medium text-destructive", className)}
-      {...props}
-    >
-      {body}
-    </p>
-  )
-})
-FormMessage.displayName = "FormMessage"
-
-export {
-  useFormField,
-  Form,
-  FormItem,
-  FormLabel,
-  FormControl,
-  FormDescription,
-  FormMessage,
-  FormField,
-}
diff --git a/src/env.js b/src/env.js
index a60d68ea..50aeb0f7 100644
--- a/src/env.js
+++ b/src/env.js
@@ -17,6 +17,12 @@ export const env = createEnv({
     JWT_SECRET: z.string().min(32),
     BLOCKFROST_API_KEY_PREPROD: z.string().optional(),
     BLOCKFROST_API_KEY_MAINNET: z.string().optional(),
+    /**
+     * Comma-separated list of hostnames the OG metadata fetcher (`/api/v1/og`)
+     * is allowed to talk to. Defaults to a small allow-list when unset; set to
+     * "*" to allow any public hostname (still SSRF-guarded against private ranges).
+     */
+    OG_ALLOWED_HOSTS: z.string().optional(),
     // NEXTAUTH_SECRET / NEXTAUTH_URL / DISCORD_* are intentionally commented.
     // NextAuth runs with PrismaAdapter only — no auth providers configured yet.
     // Uncomment and add to runtimeEnv below when adding an OAuth provider.
@@ -76,6 +82,7 @@ export const env = createEnv({
     JWT_SECRET: process.env.JWT_SECRET,
     BLOCKFROST_API_KEY_PREPROD: process.env.BLOCKFROST_API_KEY_PREPROD,
     BLOCKFROST_API_KEY_MAINNET: process.env.BLOCKFROST_API_KEY_MAINNET,
+    OG_ALLOWED_HOSTS: process.env.OG_ALLOWED_HOSTS,
   },
   /**
    * Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation. This is especially
diff --git a/src/lib/auth/walletSession.ts b/src/lib/auth/walletSession.ts
index bbf86437..88d39246 100644
--- a/src/lib/auth/walletSession.ts
+++ b/src/lib/auth/walletSession.ts
@@ -1,4 +1,6 @@
-import { sign, verify } from "jsonwebtoken";
+import jwt from "jsonwebtoken";
+
+const { sign, verify } = jwt;
 import type { NextApiRequest, NextApiResponse } from "next";
 import { env } from "@/env";
 
diff --git a/src/lib/observability/audit.ts b/src/lib/observability/audit.ts
new file mode 100644
index 00000000..890b3615
--- /dev/null
+++ b/src/lib/observability/audit.ts
@@ -0,0 +1,54 @@
+/**
+ * Append-only AuditLog emitter.
+ *
+ * Use for security-relevant events: auth flows, privilege grants, wallet
+ * mutations, signing actions. Failures to write are logged but never thrown —
+ * an audit miss must not break the user-facing flow.
+ */
+
+import type { PrismaClient } from "@prisma/client";
+import { logger, redact } from "./logger";
+
+export type AuditOutcome = "success" | "denied" | "error";
+export type AuditActorType = "user" | "bot" | "system";
+
+export type AuditEvent = {
+  actorAddress?: string | null;
+  actorType: AuditActorType;
+  action: string;
+  resourceType?: string | null;
+  resourceId?: string | null;
+  ip?: string | null;
+  userAgent?: string | null;
+  outcome: AuditOutcome;
+  reason?: string | null;
+  metadata?: Record<string, unknown>;
+};
+
+export async function audit(db: PrismaClient, event: AuditEvent): Promise<void> {
+  try {
+    const safeMetadata =
+      event.metadata !== undefined
+        ? (redact(event.metadata) as Record<string, unknown>)
+        : undefined;
+    await db.auditLog.create({
+      data: {
+        actorAddress: event.actorAddress ?? null,
+        actorType: event.actorType,
+        action: event.action,
+        resourceType: event.resourceType ?? null,
+        resourceId: event.resourceId ?? null,
+        ip: event.ip ?? null,
+        userAgent: event.userAgent ?? null,
+        outcome: event.outcome,
+        reason: event.reason ?? null,
+        metadata: safeMetadata as never,
+      },
+    });
+  } catch (err) {
+    logger.warn("audit.emit_failed", {
+      action: event.action,
+      err: err instanceof Error ? err.message : String(err),
+    });
+  }
+}
diff --git a/src/lib/observability/logger.ts b/src/lib/observability/logger.ts
new file mode 100644
index 00000000..5b9ce794
--- /dev/null
+++ b/src/lib/observability/logger.ts
@@ -0,0 +1,80 @@
+/**
+ * Structured logger.
+ *
+ * - Production: emits one JSON line per call to stdout/stderr.
+ * - Development: emits a single human-readable line.
+ *
+ * Built on console; no extra deps. Never logs raw tokens, signatures, or
+ * cookies — callers should pre-redact.
+ */
+
+const isProd = process.env.NODE_ENV === "production";
+
+const SECRET_KEYS = new Set([
+  "access_token",
+  "refresh_token",
+  "id_token",
+  "client_secret",
+  "authorization",
+  "cookie",
+  "set-cookie",
+  "password",
+  "jwt",
+  "token",
+  "secret",
+  "apiKey",
+  "api_key",
+]);
+
+export function redact(value: unknown): unknown {
+  if (value === null || value === undefined) return value;
+  if (Array.isArray(value)) return value.map(redact);
+  if (typeof value !== "object") return value;
+  const obj = value as Record<string, unknown>;
+  const out: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(obj)) {
+    if (SECRET_KEYS.has(k.toLowerCase())) {
+      out[k] = "[REDACTED]";
+    } else {
+      out[k] = redact(v);
+    }
+  }
+  return out;
+}
+
+type LogLevel = "debug" | "info" | "warn" | "error";
+
+function emit(level: LogLevel, msg: string, ctx?: Record<string, unknown>) {
+  const safeCtx = ctx ? (redact(ctx) as Record<string, unknown>) : undefined;
+  if (isProd) {
+    const line = JSON.stringify({
+      ts: new Date().toISOString(),
+      level,
+      msg,
+      ...(safeCtx ? { ctx: safeCtx } : {}),
+    });
+    if (level === "error") {
+      console.error(line);
+    } else if (level === "warn") {
+      console.warn(line);
+    } else {
+      console.log(line);
+    }
+    return;
+  }
+  // Dev: pretty
+  const fn =
+    level === "error" ? console.error : level === "warn" ? console.warn : console.log;
+  if (safeCtx) {
+    fn(`[${level}] ${msg}`, safeCtx);
+  } else {
+    fn(`[${level}] ${msg}`);
+  }
+}
+
+export const logger = {
+  debug: (msg: string, ctx?: Record<string, unknown>) => emit("debug", msg, ctx),
+  info: (msg: string, ctx?: Record<string, unknown>) => emit("info", msg, ctx),
+  warn: (msg: string, ctx?: Record<string, unknown>) => emit("warn", msg, ctx),
+  error: (msg: string, ctx?: Record<string, unknown>) => emit("error", msg, ctx),
+};
diff --git a/src/lib/security/rateLimit.ts b/src/lib/security/rateLimit.ts
index 291baad3..33ad986e 100644
--- a/src/lib/security/rateLimit.ts
+++ b/src/lib/security/rateLimit.ts
@@ -44,5 +44,5 @@ export function getClientIP(req: any): string {
     return realIP;
   }
   
-  return req.socket.remoteAddress ?? 'unknown';
+  return req.socket?.remoteAddress ?? 'unknown';
 }
diff --git a/src/lib/verifyJwt.ts b/src/lib/verifyJwt.ts
index 5ac1aee5..a790c755 100644
--- a/src/lib/verifyJwt.ts
+++ b/src/lib/verifyJwt.ts
@@ -1,4 +1,6 @@
-import { verify } from "jsonwebtoken";
+import jwt from "jsonwebtoken";
+
+const { verify } = jwt;
 
 export type JwtPayload =
   | { address: string; botId?: undefined; type?: undefined }
diff --git a/src/pages/api/auth/discord/callback.ts b/src/pages/api/auth/discord/callback.ts
index 98b221d9..e5a2b127 100644
--- a/src/pages/api/auth/discord/callback.ts
+++ b/src/pages/api/auth/discord/callback.ts
@@ -1,5 +1,48 @@
 import { type NextApiRequest, type NextApiResponse } from "next";
+import jwt from "jsonwebtoken";
 import { db } from "@/server/db";
+import { audit } from "@/lib/observability/audit";
+import { getClientIP } from "@/lib/security/rateLimit";
+
+const { verify } = jwt;
+
+type DiscordOAuthState = {
+  address: string;
+  // short-lived nonce; binding to a session cookie is the long-term fix but
+  // a signed, time-bound state already closes the open-redirect/CSRF that
+  // shipped before (raw `state = userAddress` was attacker-forgeable).
+  nonce: string;
+};
+
+function verifyState(raw: string): DiscordOAuthState | null {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) return null;
+  try {
+    const payload = verify(raw, secret) as Partial<DiscordOAuthState>;
+    if (!payload || typeof payload.address !== "string" || typeof payload.nonce !== "string") {
+      return null;
+    }
+    return { address: payload.address, nonce: payload.nonce };
+  } catch {
+    return null;
+  }
+}
+
+const REDACT_KEYS = new Set([
+  "access_token",
+  "refresh_token",
+  "id_token",
+  "client_secret",
+]);
+
+function redactSecrets(obj: unknown): unknown {
+  if (obj === null || typeof obj !== "object") return obj;
+  const out: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(obj as Record<string, unknown>)) {
+    out[k] = REDACT_KEYS.has(k) ? "[REDACTED]" : v;
+  }
+  return out;
+}
 
 export default async function handler(
   req: NextApiRequest,
@@ -7,15 +50,27 @@ export default async function handler(
 ) {
   const { code, state } = req.query;
 
-  if (!code) {
+  if (!code || typeof code !== "string") {
     return res.status(400).json({ error: "No code provided" });
   }
 
-  if (!state) {
+  if (!state || typeof state !== "string") {
     return res.status(400).json({ error: "No state provided" });
   }
 
-  const userAddress = decodeURIComponent(state as string);
+  const verifiedState = verifyState(state);
+  if (!verifiedState) {
+    void audit(db, {
+      actorType: "user",
+      action: "auth.discord.state_invalid",
+      ip: getClientIP(req),
+      userAgent: req.headers["user-agent"] ?? null,
+      outcome: "denied",
+      reason: "Invalid or expired state",
+    });
+    return res.status(400).json({ error: "Invalid or expired state" });
+  }
+  const userAddress = verifiedState.address;
 
   try {
     const redirectUri =
@@ -26,57 +81,61 @@ export default async function handler(
     const params = new URLSearchParams({
       client_id: process.env.DISCORD_CLIENT_ID!,
       client_secret: process.env.DISCORD_CLIENT_SECRET!,
-      code: code as string,
+      code,
       grant_type: "authorization_code",
       redirect_uri: redirectUri,
     });
 
-    // Log exactly what you’re sending:
-    console.log("→ [Discord Token] POST body:", params.toString());
-
     const tokenResponse = await fetch("https://discord.com/api/oauth2/token", {
       method: "POST",
       body: params,
       headers: { "Content-Type": "application/x-www-form-urlencoded" },
     });
 
-    // Read it once as text, then JSON.parse
     const raw = await tokenResponse.text();
-    console.log("← [Discord Token] status:", tokenResponse.status);
-    console.log("← [Discord Token] body:", raw);
-
-    let tokens;
+    let tokens: Record<string, unknown>;
     try {
-      tokens = JSON.parse(raw);
+      tokens = JSON.parse(raw) as Record<string, unknown>;
     } catch {
-      throw new Error("Discord returned non‑JSON on token exchange");
+      console.error("[Discord Token] non-JSON response", { status: tokenResponse.status });
+      throw new Error("Discord returned non-JSON on token exchange");
     }
 
     if (tokens.error) {
-      console.error(
-        "↪︎ [Discord Token] error_description:",
-        tokens.error_description,
-      );
-      return res.status(400).json({ error: tokens.error_description });
+      console.error("[Discord Token] error", redactSecrets(tokens));
+      return res.status(400).json({ error: tokens.error_description ?? "Discord token error" });
+    }
+
+    const accessToken = typeof tokens.access_token === "string" ? tokens.access_token : null;
+    if (!accessToken) {
+      return res.status(400).json({ error: "No access token from Discord" });
     }
 
-    // Get user info using the access token
     const userResponse = await fetch("https://discord.com/api/users/@me", {
       headers: {
-        Authorization: `Bearer ${tokens.access_token}`,
+        Authorization: `Bearer ${accessToken}`,
         "Content-Type": "application/json",
       },
     });
 
-    const user = await userResponse.json();
-    if (user) {
-      // Store Discord ID in database
+    const user = (await userResponse.json()) as { id?: string } | null;
+    if (user?.id) {
       await db.user.update({
         where: { address: userAddress },
         data: { discordId: user.id },
       });
 
-      // Check if user is in the guild
+      void audit(db, {
+        actorAddress: userAddress,
+        actorType: "user",
+        action: "auth.discord.linked",
+        resourceType: "user",
+        resourceId: userAddress,
+        ip: getClientIP(req),
+        userAgent: req.headers["user-agent"] ?? null,
+        outcome: "success",
+      });
+
       const guildId = process.env.DISCORD_GUILD_ID;
       const guildMemberCheck = await fetch(
         `https://discord.com/api/v10/guilds/${guildId}/members/${user.id}`,
@@ -88,15 +147,13 @@ export default async function handler(
       );
 
       if (guildMemberCheck.status === 404) {
-        // Redirect to invite link
         return res.redirect("https://discord.gg/DkNPvvGTqK");
       }
     }
 
-    // Then redirect
     res.redirect("/");
   } catch (error) {
-    console.error("Discord auth error:", error);
+    console.error("Discord auth error:", error instanceof Error ? error.message : "unknown");
     res.status(500).json({ error: "Failed to authenticate with Discord" });
   }
 }
diff --git a/src/pages/api/auth/discord/start.ts b/src/pages/api/auth/discord/start.ts
new file mode 100644
index 00000000..28960f72
--- /dev/null
+++ b/src/pages/api/auth/discord/start.ts
@@ -0,0 +1,55 @@
+import { type NextApiRequest, type NextApiResponse } from "next";
+import jwt from "jsonwebtoken";
+import { randomBytes } from "crypto";
+import { env } from "@/env";
+import { getWalletSessionFromReq } from "@/lib/auth/walletSession";
+
+const { sign } = jwt;
+
+// Mints a signed, short-lived OAuth state token and returns the Discord
+// authorize URL. The state is a JWT bound to the caller's session address
+// plus a random nonce; the callback (`/api/auth/discord/callback.ts`)
+// verifies it before binding a discord ID. Without this, the previous
+// `state = userAddress` shape was forgeable and CSRF-able.
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
+  if (req.method !== "GET") {
+    res.setHeader("Allow", "GET");
+    return res.status(405).json({ error: "Method not allowed" });
+  }
+
+  const session = getWalletSessionFromReq(req);
+  const primary = session?.primaryWallet ?? session?.wallets?.[0];
+  if (!primary) {
+    return res.status(401).json({ error: "Not authenticated" });
+  }
+
+  const clientId = process.env.NEXT_PUBLIC_DISCORD_CLIENT_ID;
+  if (!clientId) {
+    return res.status(500).json({ error: "Discord client not configured" });
+  }
+
+  const redirectBase =
+    env.NODE_ENV === "production"
+      ? "https://multisig.meshjs.dev"
+      : "http://localhost:3000";
+  const redirectUri = `${redirectBase}/api/auth/discord/callback`;
+
+  const nonce = randomBytes(16).toString("hex");
+  const state = sign(
+    { address: primary, nonce },
+    env.JWT_SECRET,
+    { expiresIn: "10m" },
+  );
+
+  const url = new URL("https://discord.com/api/oauth2/authorize");
+  url.searchParams.set("client_id", clientId);
+  url.searchParams.set("redirect_uri", redirectUri);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("scope", "identify");
+  url.searchParams.set("state", state);
+
+  return res.status(200).json({ url: url.toString() });
+}
diff --git a/src/pages/api/v1/addTransaction.ts b/src/pages/api/v1/addTransaction.ts
index 8ef53c1e..633e5b5a 100644
--- a/src/pages/api/v1/addTransaction.ts
+++ b/src/pages/api/v1/addTransaction.ts
@@ -95,7 +95,20 @@ export default async function handler(
 
   const reqSigners = wallet.numRequiredSigners;
   const type = wallet.type;
-  const network = address.includes("test") ? 0 : 1;
+  // Derive network from the bech32 HRP (human-readable prefix) instead of
+  // the older `address.includes("test")` substring check, which would
+  // mis-classify any mainnet address whose bech32 body happened to contain
+  // the substring "test". Cardano HRPs:
+  //   `addr1...` / `stake1...` = mainnet
+  //   `addr_test1...` / `stake_test1...` = testnet
+  let network: 0 | 1;
+  if (/^(addr_test1|stake_test1)/.test(address)) {
+    network = 0;
+  } else if (/^(addr1|stake1)/.test(address)) {
+    network = 1;
+  } else {
+    return res.status(400).json({ error: "Invalid address" });
+  }
 
   try {
     let newTx;
diff --git a/src/pages/api/v1/authSigner.ts b/src/pages/api/v1/authSigner.ts
index 59b81bb5..b49cc18c 100644
--- a/src/pages/api/v1/authSigner.ts
+++ b/src/pages/api/v1/authSigner.ts
@@ -1,12 +1,16 @@
 import type { NextApiRequest, NextApiResponse } from "next";
 import { db } from "@/server/db";
-import { sign } from "jsonwebtoken";
+import jwt from "jsonwebtoken";
+
+const { sign } = jwt;
 import {
   checkSignature,
   DataSignature,
 } from "@meshsdk/core";
 import { cors, addCorsCacheBustingHeaders } from "@/lib/cors";
 import { applyRateLimit, enforceBodySize } from "@/lib/security/requestGuards";
+import { audit } from "@/lib/observability/audit";
+import { getClientIP } from "@/lib/security/rateLimit";
 
 export default async function handler(
   req: NextApiRequest,
@@ -53,6 +57,15 @@ export default async function handler(
     const isValid = await checkSignature(nonce, sig, address);
 
     if (!isValid) {
+      void audit(db, {
+        actorAddress: address,
+        actorType: "user",
+        action: "auth.sign_in.invalid_signature",
+        ip: getClientIP(req),
+        userAgent: req.headers["user-agent"] ?? null,
+        outcome: "denied",
+        reason: "Invalid signature",
+      });
       return res.status(401).json({ error: "Invalid signature" });
     }
 
@@ -71,10 +84,28 @@ export default async function handler(
         jwtSecret,
         { expiresIn: "1h" },
       );
+      void audit(db, {
+        actorAddress: address,
+        actorType: "bot",
+        action: "auth.sign_in",
+        resourceType: "bot",
+        resourceId: botUser.id,
+        ip: getClientIP(req),
+        userAgent: req.headers["user-agent"] ?? null,
+        outcome: "success",
+      });
       return res.status(200).json({ token });
     }
 
     const token = sign({ address }, jwtSecret, { expiresIn: "1h" });
+    void audit(db, {
+      actorAddress: address,
+      actorType: "user",
+      action: "auth.sign_in",
+      ip: getClientIP(req),
+      userAgent: req.headers["user-agent"] ?? null,
+      outcome: "success",
+    });
     return res.status(200).json({ token });
   }
 
diff --git a/src/pages/api/v1/botAuth.ts b/src/pages/api/v1/botAuth.ts
index 52f2d331..7f198427 100644
--- a/src/pages/api/v1/botAuth.ts
+++ b/src/pages/api/v1/botAuth.ts
@@ -1,6 +1,8 @@
 import type { NextApiRequest, NextApiResponse } from "next";
 import { db } from "@/server/db";
-import { sign } from "jsonwebtoken";
+import jwt from "jsonwebtoken";
+
+const { sign } = jwt;
 import { cors, addCorsCacheBustingHeaders } from "@/lib/cors";
 import { applyStrictRateLimit, enforceBodySize } from "@/lib/security/requestGuards";
 import { verifyBotKeySecret, parseScope, scopeIncludes, type BotScope } from "@/lib/auth/botKey";
diff --git a/src/pages/api/v1/getNonce.ts b/src/pages/api/v1/getNonce.ts
index 3611b221..75089746 100644
--- a/src/pages/api/v1/getNonce.ts
+++ b/src/pages/api/v1/getNonce.ts
@@ -44,21 +44,21 @@ export default async function handler(
         console.warn("[getNonce] User lookup failed (table may not exist yet):", (userLookupError as Error).message);
       }
 
-      // Check if a nonce already exists for this address in the database
+      // Always rotate the nonce on issue. Reusing a stored nonce is a
+      // replay risk: a leaked sig-with-old-nonce stays valid until that row
+      // is consumed. Mint a fresh value every call.
+      const nonce = randomBytes(16).toString("hex");
       const existing = await db.nonce.findFirst({ where: { address } });
       if (existing) {
-        console.debug("[getNonce] Reusing existing nonce for address:", address);
-        return res.status(200).json({ nonce: existing.value });
+        await db.nonce.update({
+          where: { id: existing.id },
+          data: { value: nonce },
+        });
+      } else {
+        await db.nonce.create({
+          data: { address, value: nonce },
+        });
       }
-
-      const nonce = randomBytes(16).toString("hex");
-      await db.nonce.create({
-        data: {
-          address,
-          value: nonce,
-        },
-      });
-      console.debug("[getNonce] Created new nonce for address:", address);
       return res.status(200).json({ nonce });
     } catch (error) {
       console.error("[getNonce] Error:", error);
diff --git a/src/pages/api/v1/lookupMultisigWallet.ts b/src/pages/api/v1/lookupMultisigWallet.ts
index 35f5a9fb..34c3d7c0 100644
--- a/src/pages/api/v1/lookupMultisigWallet.ts
+++ b/src/pages/api/v1/lookupMultisigWallet.ts
@@ -31,9 +31,22 @@ export default async function handler(
       .json({ error: "Missing or invalid pubKeyHashes parameter" });
   }
 
-  const hashes = pubKeyHashes.split(",").map((s) => s.trim().toLowerCase());
-  console.log(hashes);
+  const hashes = pubKeyHashes
+    .split(",")
+    .map((s) => s.trim().toLowerCase())
+    .filter((s) => /^[0-9a-f]{56}$/.test(s));
+
+  if (hashes.length === 0) {
+    return res.status(400).json({ error: "No valid pubKeyHashes provided" });
+  }
+  if (hashes.length > 50) {
+    return res.status(400).json({ error: "Too many pubKeyHashes (max 50)" });
+  }
+
   const networkId = parseInt(network as string, 10);
+  if (networkId !== 0 && networkId !== 1) {
+    return res.status(400).json({ error: "Invalid network (expected 0 or 1)" });
+  }
 
   const provider = getProvider(networkId);
 
diff --git a/src/pages/api/v1/og.ts b/src/pages/api/v1/og.ts
index 9d5089fc..339bfe95 100644
--- a/src/pages/api/v1/og.ts
+++ b/src/pages/api/v1/og.ts
@@ -1,6 +1,134 @@
 import type { NextApiRequest, NextApiResponse } from "next";
+import { promises as dns } from "dns";
+import net from "net";
+import { env } from "@/env";
+
+const DEFAULT_ALLOWED_HOSTS = [
+  "github.com",
+  "www.github.com",
+  "twitter.com",
+  "x.com",
+  "youtube.com",
+  "www.youtube.com",
+  "cardano.org",
+  "www.cardano.org",
+  "meshjs.dev",
+  "www.meshjs.dev",
+];
+
+const MAX_BYTES = 1024 * 1024;
+const FETCH_TIMEOUT_MS = 5000;
+
+function loadAllowedHosts(): { hosts: Set<string>; wildcard: boolean } {
+  const raw = env.OG_ALLOWED_HOSTS?.trim();
+  if (!raw) {
+    return { hosts: new Set(DEFAULT_ALLOWED_HOSTS), wildcard: false };
+  }
+  if (raw === "*") {
+    return { hosts: new Set(), wildcard: true };
+  }
+  const list = raw
+    .split(",")
+    .map((h) => h.trim().toLowerCase())
+    .filter((h) => h.length > 0);
+  return { hosts: new Set(list), wildcard: false };
+}
+
+function isPrivateIPv4(ip: string): boolean {
+  const parts = ip.split(".").map(Number);
+  if (parts.length !== 4 || parts.some((p) => Number.isNaN(p) || p < 0 || p > 255)) {
+    return true;
+  }
+  const [a, b] = parts as [number, number, number, number];
+  if (a === 10) return true;
+  if (a === 127) return true;
+  if (a === 0) return true;
+  if (a === 169 && b === 254) return true;
+  if (a === 172 && b >= 16 && b <= 31) return true;
+  if (a === 192 && b === 168) return true;
+  if (a === 100 && b >= 64 && b <= 127) return true;
+  if (a >= 224) return true;
+  return false;
+}
+
+function isPrivateIPv6(ip: string): boolean {
+  const lower = ip.toLowerCase();
+  if (lower === "::" || lower === "::1") return true;
+  if (lower.startsWith("fc") || lower.startsWith("fd")) return true;
+  if (lower.startsWith("fe80")) return true;
+  if (lower.startsWith("ff")) return true;
+  if (lower.startsWith("::ffff:")) {
+    const v4 = lower.slice(7);
+    if (net.isIPv4(v4)) return isPrivateIPv4(v4);
+  }
+  return false;
+}
+
+function isPrivateAddress(ip: string): boolean {
+  if (net.isIPv4(ip)) return isPrivateIPv4(ip);
+  if (net.isIPv6(ip)) return isPrivateIPv6(ip);
+  return true;
+}
+
+async function assertSafeHost(hostname: string): Promise<void> {
+  if (net.isIP(hostname)) {
+    if (isPrivateAddress(hostname)) {
+      throw new Error("Blocked: private/loopback address");
+    }
+    return;
+  }
+  const records = await dns.lookup(hostname, { all: true });
+  if (records.length === 0) {
+    throw new Error("Blocked: DNS resolution failed");
+  }
+  for (const r of records) {
+    if (isPrivateAddress(r.address)) {
+      throw new Error("Blocked: resolves to private/loopback address");
+    }
+  }
+}
+
+async function fetchCapped(target: string): Promise<string> {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), FETCH_TIMEOUT_MS);
+  try {
+    const response = await fetch(target, {
+      method: "GET",
+      redirect: "manual",
+      signal: controller.signal,
+      headers: { "user-agent": "MeshMultisigOGFetcher/1.0" },
+    });
+    if (response.status >= 300 && response.status < 400) {
+      throw new Error("Blocked: redirect not followed");
+    }
+    if (!response.ok) {
+      throw new Error(`Upstream ${response.status}`);
+    }
+    const reader = response.body?.getReader();
+    if (!reader) {
+      const text = await response.text();
+      return text.length > MAX_BYTES ? text.slice(0, MAX_BYTES) : text;
+    }
+    const decoder = new TextDecoder();
+    let received = 0;
+    let html = "";
+    while (true) {
+      const { done, value } = await reader.read();
+      if (done) break;
+      received += value.byteLength;
+      if (received > MAX_BYTES) {
+        await reader.cancel();
+        break;
+      }
+      html += decoder.decode(value, { stream: true });
+    }
+    html += decoder.decode();
+    return html;
+  } finally {
+    clearTimeout(timer);
+  }
+}
 
-// Simple OG metadata extractor using fetch + regex fallbacks
 export default async function handler(req: NextApiRequest, res: NextApiResponse) {
   const { url } = req.query;
   if (typeof url !== "string") {
@@ -8,9 +136,36 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
     return;
   }
 
+  let parsed: URL;
+  try {
+    parsed = new URL(url);
+  } catch {
+    res.status(400).json({ error: "Invalid url" });
+    return;
+  }
+
+  if (parsed.protocol !== "https:") {
+    res.status(400).json({ error: "Only https URLs are allowed" });
+    return;
+  }
+
+  const { hosts, wildcard } = loadAllowedHosts();
+  const host = parsed.hostname.toLowerCase();
+  if (!wildcard && !hosts.has(host)) {
+    res.status(400).json({ error: "Host not allowed" });
+    return;
+  }
+
   try {
-    const response = await fetch(url, { method: "GET" });
-    const html = await response.text();
+    await assertSafeHost(host);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : "Blocked";
+    res.status(400).json({ error: msg });
+    return;
+  }
+
+  try {
+    const html = await fetchCapped(parsed.toString());
 
     const extract = (property: string, nameFallback?: string) => {
       const ogRegex = new RegExp(`<meta[^>]+property=["']${property}["'][^>]+content=["']([^"']+)["']`, "i");
@@ -39,4 +194,3 @@ export default async function handler(req: NextApiRequest, res: NextApiResponse)
     res.status(500).json({ error: errorMessage });
   }
 }
-
diff --git a/src/pages/api/v1/submitDatum.ts b/src/pages/api/v1/submitDatum.ts
index 48f90d5c..2e620918 100644
--- a/src/pages/api/v1/submitDatum.ts
+++ b/src/pages/api/v1/submitDatum.ts
@@ -116,7 +116,7 @@ export default async function handler(
       data: {
         walletId,
         payload: datum,
-        signatures: [`signature: ${sig.signature}, key: ${sig.key}`],
+        signatures: [JSON.stringify({ signature: sig.signature, key: sig.key })],
         signedAddresses: [address],
         rejectedAddresses: [],
         description,
diff --git a/src/server/api/auth.ts b/src/server/api/auth.ts
new file mode 100644
index 00000000..769e2f75
--- /dev/null
+++ b/src/server/api/auth.ts
@@ -0,0 +1,105 @@
+/**
+ * Shared auth helpers for tRPC routers.
+ *
+ * Consolidates `requireSessionAddress` and wallet-access checks that previously
+ * lived as near-duplicates in every router file. Centralizing them ensures:
+ * - one source of truth for the session-narrowing logic
+ * - one place to extend (e.g. add audit emit on FORBIDDEN)
+ * - future signer-table migrations only touch one helper
+ */
+
+import { TRPCError } from "@trpc/server";
+import type { AuthCtx } from "@/server/api/trpc";
+
+export const requireSessionAddress = (ctx: AuthCtx): string => {
+  const address = ctx.session?.user?.id ?? ctx.sessionAddress;
+  if (!address) {
+    throw new TRPCError({ code: "UNAUTHORIZED" });
+  }
+  return address;
+};
+
+/**
+ * Resolves the set of wallet addresses authorized in the current session.
+ * Prefers `sessionWallets` (multi-wallet auth) and falls back to the single
+ * `sessionAddress`/`session.user.id`. Returns `[]` when no session.
+ */
+export const getSessionAddresses = (ctx: AuthCtx): string[] => {
+  const sessionWallets = Array.isArray(ctx.sessionWallets) ? ctx.sessionWallets : [];
+  if (sessionWallets.length > 0) {
+    return sessionWallets;
+  }
+  const single = ctx.session?.user?.id ?? ctx.sessionAddress;
+  return single ? [single] : [];
+};
+
+/**
+ * Asserts that the caller can access the given wallet (signer or owner).
+ * Looks up the wallet in the `wallet` table and validates membership via
+ * `signersAddresses` or exact-match `ownerAddress`.
+ *
+ * Pass `requester` to override the session-derived address(es) — useful for
+ * routers that accept an explicit `requesterAddress` input parameter.
+ *
+ * Throws NOT_FOUND if the wallet doesn't exist, FORBIDDEN if not authorized.
+ */
+export const assertWalletAccess = async (
+  ctx: AuthCtx,
+  walletId: string,
+  requester?: string | string[],
+) => {
+  const wallet = await ctx.db.wallet.findUnique({ where: { id: walletId } });
+  if (!wallet) {
+    throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
+  }
+
+  const requesters: string[] = requester
+    ? Array.isArray(requester)
+      ? requester
+      : [requester]
+    : [];
+  const sessionAddresses = getSessionAddresses(ctx);
+  const candidates = requesters.length > 0 ? [...requesters, ...sessionAddresses] : sessionAddresses;
+
+  if (candidates.length === 0) {
+    throw new TRPCError({ code: "UNAUTHORIZED" });
+  }
+
+  const authorized = candidates.some((addr) => {
+    const isSigner =
+      Array.isArray(wallet.signersAddresses) && wallet.signersAddresses.includes(addr);
+    const isOwner = wallet.ownerAddress === addr;
+    return isSigner || isOwner;
+  });
+
+  if (!authorized) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "Not authorized for this wallet" });
+  }
+
+  return wallet;
+};
+
+/**
+ * Stricter variant: only the wallet owner (exact-match `ownerAddress`) passes.
+ * Used for ownership transfers, deletions, and other privileged operations.
+ */
+export const assertWalletOwner = async (
+  ctx: AuthCtx,
+  walletId: string,
+  requester?: string,
+) => {
+  const wallet = await ctx.db.wallet.findUnique({ where: { id: walletId } });
+  if (!wallet) {
+    throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
+  }
+  const sessionAddresses = getSessionAddresses(ctx);
+  const candidates = requester ? [requester, ...sessionAddresses] : sessionAddresses;
+  if (candidates.length === 0) {
+    throw new TRPCError({ code: "UNAUTHORIZED" });
+  }
+  const isOwner = candidates.some((addr) => wallet.ownerAddress === addr);
+  if (!isOwner) {
+    throw new TRPCError({ code: "FORBIDDEN", message: "Only the wallet owner can perform this action" });
+  }
+  return wallet;
+};
diff --git a/src/server/api/routers/auth.ts b/src/server/api/routers/auth.ts
index a7ba0b04..e2fa9d4e 100644
--- a/src/server/api/routers/auth.ts
+++ b/src/server/api/routers/auth.ts
@@ -6,13 +6,13 @@ export const authRouter = createTRPCRouter({
     .input(z.object({ address: z.string().min(1) }))
     .query(async ({ ctx, input }) => {
       // Use wallet-session data already decoded into the tRPC context
-      const wallets: string[] = (ctx as any).sessionWallets ?? [];
+      const wallets: string[] = ctx.sessionWallets ?? [];
       const authorized = wallets.includes(input.address);
 
       return {
         authorized,
         wallets,
-        primaryWallet: (ctx as any).primaryWallet ?? null,
+        primaryWallet: ctx.primaryWallet ?? null,
       };
     }),
 });
diff --git a/src/server/api/routers/ballot.ts b/src/server/api/routers/ballot.ts
index c5fc323c..f6bf3fee 100644
--- a/src/server/api/routers/ballot.ts
+++ b/src/server/api/routers/ballot.ts
@@ -1,10 +1,11 @@
 import { z } from "zod";
 import { TRPCError } from "@trpc/server";
 import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
+import type { AuthCtx } from "@/server/api/trpc";
 import { isValidChoice } from "@/lib/governance";
 
-const getSessionAddresses = (ctx: any): string[] => {
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+const getSessionAddresses = (ctx: AuthCtx): string[] => {
+  const sessionWallets: string[] = ctx.sessionWallets ?? [];
   if (Array.isArray(sessionWallets) && sessionWallets.length > 0) {
     return sessionWallets;
   }
@@ -12,7 +13,7 @@ const getSessionAddresses = (ctx: any): string[] => {
   return single ? [single] : [];
 };
 
-const assertWalletAccess = async (ctx: any, walletId: string) => {
+const assertWalletAccess = async (ctx: AuthCtx, walletId: string) => {
   const wallet = await ctx.db.wallet.findUnique({ where: { id: walletId } });
   if (!wallet) {
     throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
@@ -26,7 +27,7 @@ const assertWalletAccess = async (ctx: any, walletId: string) => {
   const authorized = addresses.some((addr) => {
     const isSigner =
       Array.isArray(wallet.signersAddresses) && wallet.signersAddresses.includes(addr);
-    const isOwner = wallet.ownerAddress === addr || wallet.ownerAddress === "all";
+    const isOwner = wallet.ownerAddress === addr;
     return isSigner || isOwner;
   });
 
diff --git a/src/server/api/routers/bot.ts b/src/server/api/routers/bot.ts
index 62629839..2957b7cc 100644
--- a/src/server/api/routers/bot.ts
+++ b/src/server/api/routers/bot.ts
@@ -4,6 +4,7 @@ import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
 import { BOT_SCOPES, parseScope, type BotScope } from "@/lib/auth/botKey";
 import { ClaimError, performClaim } from "@/lib/auth/claimBot";
 import { BotWalletRole } from "@prisma/client";
+import { audit } from "@/lib/observability/audit";
 
 type SessionAddressContext = {
   primaryWallet?: string | null;
@@ -167,10 +168,12 @@ export const botRouter = createTRPCRouter({
       const wallet = await ctx.db.wallet.findUnique({ where: { id: input.walletId } });
       if (!wallet) throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
       const ownerAddress = wallet.ownerAddress ?? null;
-      const isOwner =
-        ownerAddress !== null &&
-        (ownerAddress === "all" || ownerAddress === requester);
-      if (!isOwner) {
+      const isOwner = ownerAddress !== null && ownerAddress === requester;
+      const isTeamSigner =
+        ownerAddress === "all" &&
+        Array.isArray(wallet.signersAddresses) &&
+        wallet.signersAddresses.includes(requester);
+      if (!isOwner && !isTeamSigner) {
         throw new TRPCError({ code: "FORBIDDEN", message: "Only the wallet owner can grant bot access" });
       }
 
@@ -198,6 +201,16 @@ export const botRouter = createTRPCRouter({
           role: input.role,
         },
       });
+      void audit(ctx.db, {
+        actorAddress: requester,
+        actorType: "user",
+        action: "bot.access_grant",
+        resourceType: "wallet",
+        resourceId: input.walletId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: { botId: input.botId, role: input.role },
+      });
       return { ok: true };
     }),
 
@@ -211,15 +224,27 @@ export const botRouter = createTRPCRouter({
       const wallet = await ctx.db.wallet.findUnique({ where: { id: input.walletId } });
       if (!wallet) throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
       const ownerAddress = wallet.ownerAddress ?? null;
-      const isOwner =
-        ownerAddress !== null &&
-        (ownerAddress === "all" || ownerAddress === requester);
-      if (!isOwner) {
+      const isOwner = ownerAddress !== null && ownerAddress === requester;
+      const isTeamSigner =
+        ownerAddress === "all" &&
+        Array.isArray(wallet.signersAddresses) &&
+        wallet.signersAddresses.includes(requester);
+      if (!isOwner && !isTeamSigner) {
         throw new TRPCError({ code: "FORBIDDEN", message: "Only the wallet owner can revoke bot access" });
       }
       await ctx.db.walletBotAccess.deleteMany({
         where: { walletId: input.walletId, botId: input.botId },
       });
+      void audit(ctx.db, {
+        actorAddress: requester,
+        actorType: "user",
+        action: "bot.access_revoke",
+        resourceType: "wallet",
+        resourceId: input.walletId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: { botId: input.botId },
+      });
       return { ok: true };
     }),
 
@@ -233,10 +258,12 @@ export const botRouter = createTRPCRouter({
       const wallet = await ctx.db.wallet.findUnique({ where: { id: input.walletId } });
       if (!wallet) throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
       const ownerAddress = wallet.ownerAddress ?? null;
-      const isOwner =
-        ownerAddress !== null &&
-        (ownerAddress === "all" || ownerAddress === requester);
-      if (!isOwner) {
+      const isOwner = ownerAddress !== null && ownerAddress === requester;
+      const isTeamSigner =
+        ownerAddress === "all" &&
+        Array.isArray(wallet.signersAddresses) &&
+        wallet.signersAddresses.includes(requester);
+      if (!isOwner && !isTeamSigner) {
         throw new TRPCError({ code: "FORBIDDEN", message: "Only the wallet owner can list bot access" });
       }
       return ctx.db.walletBotAccess.findMany({
diff --git a/src/server/api/routers/contacts.ts b/src/server/api/routers/contacts.ts
index 71d46607..c12b7ca3 100644
--- a/src/server/api/routers/contacts.ts
+++ b/src/server/api/routers/contacts.ts
@@ -2,15 +2,16 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 
 import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
+import type { AuthCtx } from "@/server/api/trpc";
 
-const getSessionAddresses = (ctx: any): string[] => {
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+const getSessionAddresses = (ctx: AuthCtx): string[] => {
+  const sessionWallets: string[] = ctx.sessionWallets ?? [];
   if (sessionWallets.length > 0) return sessionWallets;
   const single = ctx.sessionAddress;
   return single ? [single] : [];
 };
 
-const assertWalletAccess = async (ctx: any, walletId: string) => {
+const assertWalletAccess = async (ctx: AuthCtx, walletId: string) => {
   const wallet = await ctx.db.wallet.findUnique({ where: { id: walletId } });
   if (!wallet) {
     throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
@@ -24,7 +25,7 @@ const assertWalletAccess = async (ctx: any, walletId: string) => {
   const authorized = addresses.some((addr) => {
     const isSigner =
       Array.isArray(wallet.signersAddresses) && wallet.signersAddresses.includes(addr);
-    const isOwner = wallet.ownerAddress === addr || wallet.ownerAddress === "all";
+    const isOwner = wallet.ownerAddress === addr;
     return isSigner || isOwner;
   });
 
diff --git a/src/server/api/routers/migrations.ts b/src/server/api/routers/migrations.ts
index edae6366..512d017f 100644
--- a/src/server/api/routers/migrations.ts
+++ b/src/server/api/routers/migrations.ts
@@ -1,8 +1,9 @@
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
+import type { AuthCtx } from "@/server/api/trpc";
 
-const requireSessionAddress = (ctx: any) => {
+const requireSessionAddress = (ctx: AuthCtx) => {
   const address = ctx.session?.user?.id ?? ctx.sessionAddress;
   if (!address) {
     throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -10,7 +11,7 @@ const requireSessionAddress = (ctx: any) => {
   return address;
 };
 
-const assertMigrationOwner = async (ctx: any, migrationId: string, requester: string | string[]) => {
+const assertMigrationOwner = async (ctx: AuthCtx, migrationId: string, requester: string | string[]) => {
   const migration = await ctx.db.migration.findUnique({ where: { id: migrationId } });
   if (!migration) {
     throw new TRPCError({ code: "NOT_FOUND", message: "Migration not found" });
@@ -30,7 +31,7 @@ export const migrationRouter = createTRPCRouter({
   getPendingMigrations: protectedProcedure
     .input(z.object({ ownerAddress: z.string() }))
     .query(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : [requireSessionAddress(ctx)];
@@ -55,7 +56,7 @@ export const migrationRouter = createTRPCRouter({
     .input(z.object({ migrationId: z.string() }))
     .query(async ({ ctx, input }) => {
       // Check against sessionWallets array like getPendingMigrations does
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : [requireSessionAddress(ctx)];
@@ -72,7 +73,7 @@ export const migrationRouter = createTRPCRouter({
       migrationData: z.any().optional()
     }))
     .mutation(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : [requireSessionAddress(ctx)];
@@ -119,7 +120,7 @@ export const migrationRouter = createTRPCRouter({
     }))
     .mutation(async ({ ctx, input }) => {
       // Check against sessionWallets array like getPendingMigrations does
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : [requireSessionAddress(ctx)];
@@ -161,7 +162,7 @@ export const migrationRouter = createTRPCRouter({
     }))
     .mutation(async ({ ctx, input }) => {
       // Check against sessionWallets array like getPendingMigrations does
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : [requireSessionAddress(ctx)];
@@ -183,7 +184,7 @@ export const migrationRouter = createTRPCRouter({
     .input(z.object({ migrationId: z.string() }))
     .mutation(async ({ ctx, input }) => {
       // Check against sessionWallets array like getPendingMigrations does
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : [requireSessionAddress(ctx)];
@@ -202,7 +203,7 @@ export const migrationRouter = createTRPCRouter({
     .input(z.object({ migrationId: z.string() }))
     .mutation(async ({ ctx, input }) => {
       // Check against sessionWallets array like getPendingMigrations does
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : [requireSessionAddress(ctx)];
diff --git a/src/server/api/routers/proxy.ts b/src/server/api/routers/proxy.ts
index 864e0c56..c53b0f56 100644
--- a/src/server/api/routers/proxy.ts
+++ b/src/server/api/routers/proxy.ts
@@ -1,8 +1,9 @@
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
+import type { AuthCtx } from "@/server/api/trpc";
 
-const requireSessionAddress = (ctx: any) => {
+const requireSessionAddress = (ctx: AuthCtx) => {
   const address = ctx.session?.user?.id ?? ctx.sessionAddress;
   if (!address) {
     throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -11,7 +12,7 @@ const requireSessionAddress = (ctx: any) => {
 };
 
 const assertWalletAccess = async (
-  ctx: any,
+  ctx: AuthCtx,
   walletId: string,
   requester: string | string[],
 ) => {
@@ -20,7 +21,7 @@ const assertWalletAccess = async (
     throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
   }
   const requesters = Array.isArray(requester) ? requester : [requester];
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+  const sessionWallets: string[] = ctx.sessionWallets ?? [];
   const allRequesters = [...requesters, ...sessionWallets];
   const isSigner =
     Array.isArray(wallet.signersAddresses) &&
@@ -32,7 +33,7 @@ const assertWalletAccess = async (
   return wallet;
 };
 
-const getUserIdForAddress = async (ctx: any, address: string) => {
+const getUserIdForAddress = async (ctx: AuthCtx, address: string) => {
   const user = await ctx.db.user.findUnique({ where: { address } });
   if (!user) {
     throw new TRPCError({ code: "NOT_FOUND", message: "User not found" });
@@ -41,7 +42,7 @@ const getUserIdForAddress = async (ctx: any, address: string) => {
 };
 
 const assertProxyAccess = async (
-  ctx: any,
+  ctx: AuthCtx,
   proxy: { walletId: string | null; userId: string | null },
   requesterAddresses: string[],
 ) => {
@@ -75,13 +76,13 @@ const assertProxyAccess = async (
   throw new TRPCError({ code: "FORBIDDEN", message: "Not authorized for this proxy" });
 };
 
-const getRequesterAddresses = (ctx: any): string[] => {
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+const getRequesterAddresses = (ctx: AuthCtx): string[] => {
+  const sessionWallets: string[] = ctx.sessionWallets ?? [];
   return sessionWallets.length ? sessionWallets : [requireSessionAddress(ctx)];
 };
 
 const assertWalletAccessForAnyAddress = async (
-  ctx: any,
+  ctx: AuthCtx,
   walletId: string,
   addresses: string[],
 ) => {
@@ -96,7 +97,7 @@ const assertWalletAccessForAnyAddress = async (
   throw new TRPCError({ code: "FORBIDDEN", message: "Not authorized for this wallet" });
 };
 
-const listActiveProxiesByUserAddress = async (ctx: any, userAddress: string) => {
+const listActiveProxiesByUserAddress = async (ctx: AuthCtx, userAddress: string) => {
   return ctx.db.$queryRaw<Array<{
     id: string;
     walletId: string | null;
@@ -119,7 +120,7 @@ const listActiveProxiesByUserAddress = async (ctx: any, userAddress: string) =>
 };
 
 const assertProxyManageAccess = async (
-  ctx: any,
+  ctx: AuthCtx,
   proxy: { walletId: string | null; userId: string | null },
   sessionAddress: string,
 ) => {
diff --git a/src/server/api/routers/signable.ts b/src/server/api/routers/signable.ts
index 5c5dce28..8b5bd21a 100644
--- a/src/server/api/routers/signable.ts
+++ b/src/server/api/routers/signable.ts
@@ -2,28 +2,8 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 
 import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
-
-const requireSessionAddress = (ctx: any) => {
-  const address = ctx.session?.user?.id ?? ctx.sessionAddress;
-  if (!address) {
-    throw new TRPCError({ code: "UNAUTHORIZED" });
-  }
-  return address;
-};
-
-const assertWalletAccess = async (ctx: any, walletId: string, requester: string) => {
-  const wallet = await ctx.db.wallet.findUnique({ where: { id: walletId } });
-  if (!wallet) {
-    throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
-  }
-  const isSigner =
-    Array.isArray(wallet.signersAddresses) && wallet.signersAddresses.includes(requester);
-  const isOwner = wallet.ownerAddress === requester || wallet.ownerAddress === "all";
-  if (!isSigner && !isOwner) {
-    throw new TRPCError({ code: "FORBIDDEN", message: "Not authorized for this wallet" });
-  }
-  return wallet;
-};
+import { audit } from "@/lib/observability/audit";
+import { requireSessionAddress, assertWalletAccess } from "@/server/api/auth";
 
 export const signableRouter = createTRPCRouter({
   createSignable: protectedProcedure
@@ -72,7 +52,7 @@ export const signableRouter = createTRPCRouter({
         throw new TRPCError({ code: "NOT_FOUND", message: "Signable not found" });
       }
       await assertWalletAccess(ctx, signable.walletId, sessionAddress);
-      return ctx.db.signable.update({
+      const updated = await ctx.db.signable.update({
         where: {
           id: input.signableId,
         },
@@ -83,6 +63,30 @@ export const signableRouter = createTRPCRouter({
           state: input.state,
         },
       });
+      const justSigned = input.signedAddresses.includes(sessionAddress) &&
+        !signable.signedAddresses.includes(sessionAddress);
+      const justRejected = input.rejectedAddresses.includes(sessionAddress) &&
+        !signable.rejectedAddresses.includes(sessionAddress);
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: justRejected
+          ? "signable.reject"
+          : justSigned
+            ? "signable.sign"
+            : "signable.update",
+        resourceType: "signable",
+        resourceId: input.signableId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: {
+          walletId: signable.walletId,
+          state: input.state,
+          signersCount: input.signedAddresses.length,
+          rejectionsCount: input.rejectedAddresses.length,
+        },
+      });
+      return updated;
     }),
 
   deleteSignable: protectedProcedure
@@ -94,11 +98,22 @@ export const signableRouter = createTRPCRouter({
         throw new TRPCError({ code: "NOT_FOUND", message: "Signable not found" });
       }
       await assertWalletAccess(ctx, signable.walletId, sessionAddress);
-      return ctx.db.signable.delete({
+      const deleted = await ctx.db.signable.delete({
         where: {
           id: input.signableId,
         },
       });
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: "signable.delete",
+        resourceType: "signable",
+        resourceId: input.signableId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: { walletId: signable.walletId },
+      });
+      return deleted;
     }),
 
   // Read-only queries require authenticated session whose address is a signer/owner
diff --git a/src/server/api/routers/transactions.ts b/src/server/api/routers/transactions.ts
index aef26e7b..c260cb66 100644
--- a/src/server/api/routers/transactions.ts
+++ b/src/server/api/routers/transactions.ts
@@ -7,6 +7,8 @@ import { getProvider } from "@/utils/get-provider";
 import { addressToNetwork } from "@/utils/multisigSDK";
 
 import { createTRPCRouter, protectedProcedure } from "@/server/api/trpc";
+import { audit } from "@/lib/observability/audit";
+import { assertWalletAccess } from "@/server/api/auth";
 
 function toHex(bytes: Uint8Array): string {
   return Buffer.from(bytes).toString("hex");
@@ -20,40 +22,6 @@ function normalizeHex(value: string): string {
   return trimmed;
 }
 
-const getSessionAddresses = (ctx: any): string[] => {
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
-  if (Array.isArray(sessionWallets) && sessionWallets.length > 0) {
-    return sessionWallets;
-  }
-  const single = ctx.session?.user?.id ?? ctx.sessionAddress;
-  return single ? [single] : [];
-};
-
-const assertWalletAccess = async (ctx: any, walletId: string) => {
-  const wallet = await ctx.db.wallet.findUnique({ where: { id: walletId } });
-  if (!wallet) {
-    throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
-  }
-
-  const addresses = getSessionAddresses(ctx);
-  if (addresses.length === 0) {
-    throw new TRPCError({ code: "UNAUTHORIZED" });
-  }
-
-  const authorized = addresses.some((addr: string) => {
-    const isSigner =
-      Array.isArray(wallet.signersAddresses) && wallet.signersAddresses.includes(addr);
-    const isOwner = wallet.ownerAddress === addr || wallet.ownerAddress === "all";
-    return isSigner || isOwner;
-  });
-
-  if (!authorized) {
-    throw new TRPCError({ code: "FORBIDDEN", message: "Not authorized for this wallet" });
-  }
-
-  return wallet;
-};
-
 export const transactionRouter = createTRPCRouter({
   createTransaction: protectedProcedure
     .input(
@@ -69,7 +37,8 @@ export const transactionRouter = createTRPCRouter({
     )
     .mutation(async ({ ctx, input }) => {
       await assertWalletAccess(ctx, input.walletId);
-      return ctx.db.transaction.create({
+      const sessionAddress = ctx.session?.user?.id ?? ctx.sessionAddress ?? null;
+      const tx = await ctx.db.transaction.create({
         data: {
           walletId: input.walletId,
           txJson: input.txJson,
@@ -80,6 +49,22 @@ export const transactionRouter = createTRPCRouter({
           txHash: input.txHash,
         },
       });
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: "transaction.create",
+        resourceType: "transaction",
+        resourceId: tx.id,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: {
+          walletId: input.walletId,
+          state: input.state,
+          txHash: input.txHash ?? null,
+          initialSigners: input.signedAddresses.length,
+        },
+      });
+      return tx;
     }),
 
   updateTransaction: protectedProcedure
@@ -99,7 +84,8 @@ export const transactionRouter = createTRPCRouter({
         throw new TRPCError({ code: "NOT_FOUND", message: "Transaction not found" });
       }
       await assertWalletAccess(ctx, tx.walletId);
-      return ctx.db.transaction.update({
+      const sessionAddress = ctx.session?.user?.id ?? ctx.sessionAddress ?? null;
+      const updated = await ctx.db.transaction.update({
         where: {
           id: input.transactionId,
         },
@@ -111,6 +97,38 @@ export const transactionRouter = createTRPCRouter({
           txHash: input.txHash,
         },
       });
+      const justSigned =
+        sessionAddress !== null &&
+        input.signedAddresses.includes(sessionAddress) &&
+        !tx.signedAddresses.includes(sessionAddress);
+      const justRejected =
+        sessionAddress !== null &&
+        input.rejectedAddresses.includes(sessionAddress) &&
+        !tx.rejectedAddresses.includes(sessionAddress);
+      const submitted = !tx.txHash && Boolean(input.txHash);
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: submitted
+          ? "transaction.submit"
+          : justRejected
+            ? "transaction.reject"
+            : justSigned
+              ? "transaction.sign"
+              : "transaction.update",
+        resourceType: "transaction",
+        resourceId: input.transactionId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: {
+          walletId: tx.walletId,
+          state: input.state,
+          signersCount: input.signedAddresses.length,
+          rejectionsCount: input.rejectedAddresses.length,
+          txHash: input.txHash ?? null,
+        },
+      });
+      return updated;
     }),
 
   deleteTransaction: protectedProcedure
@@ -121,11 +139,23 @@ export const transactionRouter = createTRPCRouter({
         throw new TRPCError({ code: "NOT_FOUND", message: "Transaction not found" });
       }
       await assertWalletAccess(ctx, tx.walletId);
-      return ctx.db.transaction.delete({
+      const sessionAddress = ctx.session?.user?.id ?? ctx.sessionAddress ?? null;
+      const deleted = await ctx.db.transaction.delete({
         where: {
           id: input.transactionId,
         },
       });
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: "transaction.delete",
+        resourceType: "transaction",
+        resourceId: input.transactionId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: { walletId: tx.walletId },
+      });
+      return deleted;
     }),
 
   // Read-only queries require authenticated session whose address is a signer/owner
@@ -489,7 +519,8 @@ export const transactionRouter = createTRPCRouter({
       };
 
       // Create pending transaction
-      return await ctx.db.transaction.create({
+      const sessionAddress = ctx.session?.user?.id ?? ctx.sessionAddress ?? null;
+      const created = await ctx.db.transaction.create({
         data: {
           walletId: input.walletId,
           txJson: JSON.stringify(txJson),
@@ -500,5 +531,19 @@ export const transactionRouter = createTRPCRouter({
           description: input.description || "Imported transaction",
         },
       });
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: "transaction.import",
+        resourceType: "transaction",
+        resourceId: created.id,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: {
+          walletId: input.walletId,
+          existingSigners: signedAddresses.length,
+        },
+      });
+      return created;
     }),
 });
diff --git a/src/server/api/routers/users.ts b/src/server/api/routers/users.ts
index 081b917e..4d2d8dca 100644
--- a/src/server/api/routers/users.ts
+++ b/src/server/api/routers/users.ts
@@ -2,8 +2,9 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 
 import { createTRPCRouter, protectedProcedure, publicProcedure } from "@/server/api/trpc";
+import type { AuthCtx } from "@/server/api/trpc";
 
-const requireSessionAddress = (ctx: any) => {
+const requireSessionAddress = (ctx: AuthCtx) => {
   const address = ctx.session?.user?.id ?? ctx.sessionAddress;
   if (!address) {
     throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -22,8 +23,10 @@ export const userRouter = createTRPCRouter({
       });
     }),
 
-  // Keep createUser public for onboarding flows, but bind address when session exists
-  createUser: publicProcedure
+  // Onboarding upsert. Authenticated only — the session address must match
+  // the address being created/updated to prevent any unauthenticated caller
+  // from creating User rows or overwriting another user's stake/nostr/drep keys.
+  createUser: protectedProcedure
     .input(
       z.object({
         address: z.string().min(1, "address required"),
@@ -34,6 +37,13 @@ export const userRouter = createTRPCRouter({
       }),
     )
     .mutation(async ({ ctx, input }) => {
+      const sessionAddress = requireSessionAddress(ctx);
+      if (sessionAddress !== input.address) {
+        throw new TRPCError({
+          code: "FORBIDDEN",
+          message: "Cannot create or modify a user other than yourself",
+        });
+      }
       return ctx.db.user.upsert({
         where: {
           address: input.address,
@@ -134,10 +144,10 @@ export const userRouter = createTRPCRouter({
       });
     }),
 
-  getDiscordIds: publicProcedure
+  getDiscordIds: protectedProcedure
     .input(
       z.object({
-        addresses: z.array(z.string().min(1)).min(1),
+        addresses: z.array(z.string().min(1)).min(1).max(50),
       }),
     )
     .query(async ({ ctx, input }) => {
@@ -165,7 +175,7 @@ export const userRouter = createTRPCRouter({
       );
     }),
 
-  getUserDiscordId: publicProcedure
+  getUserDiscordId: protectedProcedure
     .input(z.object({ address: z.string().min(1, "address required") }))
     .query(async ({ ctx, input }) => {
       const user = await ctx.db.user.findUnique({
diff --git a/src/server/api/routers/wallets.ts b/src/server/api/routers/wallets.ts
index 98d56126..340ebf91 100644
--- a/src/server/api/routers/wallets.ts
+++ b/src/server/api/routers/wallets.ts
@@ -2,10 +2,12 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 
 import { createTRPCRouter, protectedProcedure, publicProcedure } from "@/server/api/trpc";
+import type { AuthCtx } from "@/server/api/trpc";
 import type { RawImportBodies } from "@/types/wallet";
 import { Prisma } from "@prisma/client";
+import { audit } from "@/lib/observability/audit";
 
-const requireSessionAddress = (ctx: any) => {
+const requireSessionAddress = (ctx: AuthCtx) => {
   const address = ctx.session?.user?.id ?? ctx.sessionAddress;
   if (!address) {
     throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -13,20 +15,20 @@ const requireSessionAddress = (ctx: any) => {
   return address;
 };
 
-const assertWalletAccess = async (ctx: any, walletId: string, requester: string | string[]) => {
+const assertWalletAccess = async (ctx: AuthCtx, walletId: string, requester: string | string[]) => {
   const wallet = await ctx.db.wallet.findUnique({ where: { id: walletId } });
   if (!wallet) {
     throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
   }
 
   const requesters = Array.isArray(requester) ? requester : [requester];
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+  const sessionWallets: string[] = ctx.sessionWallets ?? [];
   const allRequesters = [...requesters, ...sessionWallets];
 
   const isSigner = allRequesters.some((addr) =>
     Array.isArray(wallet.signersAddresses) && wallet.signersAddresses.includes(addr)
   );
-  const isOwner = allRequesters.some((addr) => wallet.ownerAddress === addr || wallet.ownerAddress === "all");
+  const isOwner = allRequesters.some((addr) => wallet.ownerAddress === addr);
 
   if (!isSigner && !isOwner) {
     throw new TRPCError({ code: "FORBIDDEN", message: "Not a signer of this wallet" });
@@ -36,7 +38,7 @@ const assertWalletAccess = async (ctx: any, walletId: string, requester: string
 };
 
 // Check if user is the owner of the wallet
-const assertNewWalletOwnerAccess = async (ctx: any, walletId: string, requester: string) => {
+const assertNewWalletOwnerAccess = async (ctx: AuthCtx, walletId: string, requester: string) => {
   const wallet = await ctx.db.newWallet.findUnique({ where: { id: walletId } });
   if (!wallet) {
     throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
@@ -46,7 +48,7 @@ const assertNewWalletOwnerAccess = async (ctx: any, walletId: string, requester:
   const isOwner = wallet.ownerAddress === requester;
   
   // Also check if ownerAddress is in sessionWallets (user might have multiple authorized wallets)
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+  const sessionWallets: string[] = ctx.sessionWallets ?? [];
   const isOwnerViaSession = sessionWallets.includes(wallet.ownerAddress);
   
   if (!isOwner && !isOwnerViaSession) {
@@ -56,7 +58,7 @@ const assertNewWalletOwnerAccess = async (ctx: any, walletId: string, requester:
 };
 
 // Check if user is a signer or owner (for read access)
-const assertNewWalletSignerAccess = async (ctx: any, walletId: string, requester: string) => {
+const assertNewWalletSignerAccess = async (ctx: AuthCtx, walletId: string, requester: string) => {
   const wallet = await ctx.db.newWallet.findUnique({ where: { id: walletId } });
   if (!wallet) {
     throw new TRPCError({ code: "NOT_FOUND", message: "Wallet not found" });
@@ -66,7 +68,7 @@ const assertNewWalletSignerAccess = async (ctx: any, walletId: string, requester
   const isOwner = wallet.ownerAddress === requester;
   
   // Also check if ownerAddress is in sessionWallets (user might have multiple authorized wallets)
-  const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+  const sessionWallets: string[] = ctx.sessionWallets ?? [];
   const isOwnerViaSession = sessionWallets.includes(wallet.ownerAddress);
   
   if (isOwner || isOwnerViaSession) {
@@ -88,7 +90,7 @@ const assertNewWalletSignerAccess = async (ctx: any, walletId: string, requester
 };
 
 // Check if user can read the wallet (signer or owner)
-const assertNewWalletAccess = async (ctx: any, walletId: string, requester: string) => {
+const assertNewWalletAccess = async (ctx: AuthCtx, walletId: string, requester: string) => {
   return assertNewWalletSignerAccess(ctx, walletId, requester);
 };
 
@@ -97,7 +99,7 @@ export const walletRouter = createTRPCRouter({
   getUserWallets: publicProcedure
     .input(z.object({ address: z.string() }))
     .query(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : ctx.sessionAddress
@@ -121,18 +123,22 @@ export const walletRouter = createTRPCRouter({
   getWallet: publicProcedure
     .input(z.object({ address: z.string(), walletId: z.string() }))
     .query(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : ctx.sessionAddress
           ? [ctx.sessionAddress]
           : [];
-      // If user has an active session, validate that the requested address is authorized
-      // Throw error if address doesn't match (security: prevent unauthorized access)
-      if (addresses.length > 0 && !addresses.includes(input.address)) {
+
+      if (addresses.length === 0) {
+        throw new TRPCError({ code: "UNAUTHORIZED" });
+      }
+
+      if (!addresses.includes(input.address)) {
         throw new TRPCError({ code: "FORBIDDEN", message: "Address mismatch" });
       }
-      return ctx.db.wallet.findUnique({
+
+      const wallet = await ctx.db.wallet.findUnique({
         where: {
           id: input.walletId,
           signersAddresses: {
@@ -140,6 +146,19 @@ export const walletRouter = createTRPCRouter({
           },
         },
       });
+
+      if (!wallet) {
+        throw new TRPCError({ code: "FORBIDDEN", message: "Not a signer of this wallet" });
+      }
+
+      if (
+        !Array.isArray(wallet.signersAddresses) ||
+        !wallet.signersAddresses.includes(input.address)
+      ) {
+        throw new TRPCError({ code: "FORBIDDEN", message: "Not a signer of this wallet" });
+      }
+
+      return wallet;
     }),
 
   createWallet: protectedProcedure
@@ -160,7 +179,7 @@ export const walletRouter = createTRPCRouter({
       }),
     )
     .mutation(async ({ ctx, input }) => {
-      requireSessionAddress(ctx);
+      const sessionAddress = requireSessionAddress(ctx);
       try {
         const numRequired = (input.type === "all" || input.type === "any") ? null : input.numRequiredSigners;
 
@@ -191,7 +210,23 @@ export const walletRouter = createTRPCRouter({
           ...(input.ownerAddress != null && { ownerAddress: input.ownerAddress }),
         };
 
-        return ctx.db.wallet.create({ data });
+        const wallet = await ctx.db.wallet.create({ data });
+        void audit(ctx.db, {
+          actorAddress: sessionAddress,
+          actorType: "user",
+          action: "wallet.create",
+          resourceType: "wallet",
+          resourceId: wallet.id,
+          ip: ctx.ip ?? null,
+          outcome: "success",
+          metadata: {
+            type: input.type,
+            numRequiredSigners: numRequired,
+            signerCount: input.signersAddresses.length,
+            ownerAddress: input.ownerAddress ?? null,
+          },
+        });
+        return wallet;
       } catch (error) {
         console.error("Error creating wallet:", error);
         throw error;
@@ -279,21 +314,18 @@ export const walletRouter = createTRPCRouter({
       });
     }),
 
-  getUserNewWallets: publicProcedure
+  getUserNewWallets: protectedProcedure
     .input(z.object({ address: z.string() }))
     .query(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : ctx.sessionAddress
           ? [ctx.sessionAddress]
           : [];
-      // If user has an active session, validate that the requested address is authorized
-      // Throw error if address doesn't match (security: prevent unauthorized access)
-      if (addresses.length > 0 && !addresses.includes(input.address)) {
+      if (!addresses.includes(input.address)) {
         throw new TRPCError({ code: "FORBIDDEN", message: "Address mismatch" });
       }
-      // Query new wallets owned by the user
       return ctx.db.newWallet.findMany({
         where: {
           ownerAddress: input.address,
@@ -301,21 +333,18 @@ export const walletRouter = createTRPCRouter({
       });
     }),
 
-  getUserNewWalletsNotOwner: publicProcedure
+  getUserNewWalletsNotOwner: protectedProcedure
     .input(z.object({ address: z.string() }))
     .query(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const addresses = sessionWallets.length
         ? sessionWallets
         : ctx.sessionAddress
           ? [ctx.sessionAddress]
           : [];
-      // If user has an active session, validate that the requested address is authorized
-      // Throw error if address doesn't match (security: prevent unauthorized access)
-      if (addresses.length > 0 && !addresses.includes(input.address)) {
+      if (!addresses.includes(input.address)) {
         throw new TRPCError({ code: "FORBIDDEN", message: "Address mismatch" });
       }
-      // Query new wallets where user is a signer but not the owner
       return ctx.db.newWallet.findMany({
         where: {
           signersAddresses: {
@@ -357,7 +386,7 @@ export const walletRouter = createTRPCRouter({
     )
     .mutation(async ({ ctx, input }) => {
       const sessionAddress = requireSessionAddress(ctx);
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       
       // Allow ownerAddress to be either the sessionAddress or any address in sessionWallets
       const isAuthorized = 
@@ -368,7 +397,7 @@ export const walletRouter = createTRPCRouter({
         throw new TRPCError({ code: "FORBIDDEN", message: "Owner address mismatch" });
       }
       const numRequired = (input.scriptType === "all" || input.scriptType === "any") ? null : input.numRequiredSigners;
-      return ctx.db.newWallet.create({
+      const wallet = await ctx.db.newWallet.create({
         data: {
           name: input.name,
           description: input.description,
@@ -382,6 +411,22 @@ export const walletRouter = createTRPCRouter({
           scriptType: input.scriptType,
         } as any,
       });
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: "wallet.new_create",
+        resourceType: "newWallet",
+        resourceId: wallet.id,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: {
+          scriptType: input.scriptType ?? null,
+          numRequiredSigners: numRequired,
+          signerCount: input.signersAddresses.length,
+          ownerAddress: input.ownerAddress,
+        },
+      });
+      return wallet;
     }),
 
   updateNewWallet: protectedProcedure
@@ -526,9 +571,30 @@ export const walletRouter = createTRPCRouter({
 
       if (result.count === 0) {
         // Either already claimed, not eligible, or wallet not found
+        void audit(ctx.db, {
+          actorAddress: requester,
+          actorType: "user",
+          action: "wallet.owner_claim",
+          resourceType: "newWallet",
+          resourceId: input.walletId,
+          ip: ctx.ip ?? null,
+          outcome: "denied",
+          reason: "Already claimed, not eligible, or wallet not found",
+          metadata: { requestedOwner: input.ownerAddress },
+        });
         return ctx.db.newWallet.findUnique({ where: { id: input.walletId } });
       }
 
+      void audit(ctx.db, {
+        actorAddress: requester,
+        actorType: "user",
+        action: "wallet.owner_claim",
+        resourceType: "newWallet",
+        resourceId: input.walletId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+        metadata: { newOwner: input.ownerAddress, previousOwner: "all" },
+      });
       return ctx.db.newWallet.findUnique({ where: { id: input.walletId } });
     }),
 
@@ -538,11 +604,21 @@ export const walletRouter = createTRPCRouter({
       const sessionAddress = requireSessionAddress(ctx);
       // Only owners can delete the wallet
       await assertNewWalletOwnerAccess(ctx, input.walletId, sessionAddress);
-      return ctx.db.newWallet.delete({
+      const deleted = await ctx.db.newWallet.delete({
         where: {
           id: input.walletId,
         },
       });
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: "wallet.new_delete",
+        resourceType: "newWallet",
+        resourceId: input.walletId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+      });
+      return deleted;
     }),
 
   updateWalletClarityApiKey: protectedProcedure
@@ -586,7 +662,7 @@ export const walletRouter = createTRPCRouter({
   clearMigrationTarget: protectedProcedure
     .input(z.object({ walletId: z.string() }))
     .mutation(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const sessionAddress = requireSessionAddress(ctx);
       const requesters = sessionWallets.length > 0 ? sessionWallets : [sessionAddress];
       await assertWalletAccess(ctx, input.walletId, requesters);
@@ -656,11 +732,11 @@ export const walletRouter = createTRPCRouter({
   archiveWallet: protectedProcedure
     .input(z.object({ walletId: z.string() }))
     .mutation(async ({ ctx, input }) => {
-      const sessionWallets: string[] = (ctx as any).sessionWallets ?? [];
+      const sessionWallets: string[] = ctx.sessionWallets ?? [];
       const sessionAddress = requireSessionAddress(ctx);
       const requesters = sessionWallets.length > 0 ? sessionWallets : [sessionAddress];
       await assertWalletAccess(ctx, input.walletId, requesters);
-      return ctx.db.wallet.update({
+      const updated = await ctx.db.wallet.update({
         where: {
           id: input.walletId,
         },
@@ -668,5 +744,15 @@ export const walletRouter = createTRPCRouter({
           isArchived: true,
         },
       });
+      void audit(ctx.db, {
+        actorAddress: sessionAddress,
+        actorType: "user",
+        action: "wallet.archive",
+        resourceType: "wallet",
+        resourceId: input.walletId,
+        ip: ctx.ip ?? null,
+        outcome: "success",
+      });
+      return updated;
     }),
 });
diff --git a/src/server/api/trpc.ts b/src/server/api/trpc.ts
index 5f4fba67..86adb02c 100644
--- a/src/server/api/trpc.ts
+++ b/src/server/api/trpc.ts
@@ -74,6 +74,30 @@ const createInnerTRPCContext = (opts: CreateContextOptions) => ({
   db,
 });
 
+/**
+ * Inferred shape of the context every tRPC procedure receives. Used as the
+ * type of `ctx` in helper functions that previously had to use `any`.
+ */
+export type TRPCContext = ReturnType<typeof createInnerTRPCContext>;
+
+/**
+ * Structural ctx shape accepted by router helpers. `protectedProcedure`'s
+ * middleware narrows `session.expires` to optional, which is not assignable
+ * to the base TRPCContext. Helpers consuming ctx use this looser shape so
+ * they accept both base and narrowed contexts.
+ */
+export type AuthCtx = {
+  db: TRPCContext["db"];
+  ip: string;
+  sessionAddress: string | null;
+  sessionWallets: string[];
+  primaryWallet: string | null;
+  session:
+    | (Omit<Session, "expires"> & { expires?: string })
+    | Session
+    | null;
+};
+
 /**
  * This is the actual context you will use in your router. It will be used to process every request
  * that goes through your tRPC endpoint.
@@ -235,7 +259,7 @@ export const protectedProcedure = t.procedure
   .use(({ ctx, next }) => {
     const hasNextAuth = !!ctx.session?.user;
     const hasWalletSession =
-      Array.isArray((ctx as any).sessionWallets) && (ctx as any).sessionWallets.length > 0;
+      Array.isArray(ctx.sessionWallets) && ctx.sessionWallets.length > 0;
 
     if (!hasNextAuth && !hasWalletSession) {
       throw new TRPCError({ code: "UNAUTHORIZED" });
@@ -248,8 +272,7 @@ export const protectedProcedure = t.procedure
     if (hasNextAuth) {
       sessionAddress = ctx.session?.user?.id ?? sessionAddress;
     } else if (!sessionAddress && hasWalletSession) {
-      const wallets = (ctx as any).sessionWallets as string[];
-      sessionAddress = wallets[0] ?? null;
+      sessionAddress = ctx.sessionWallets[0] ?? null;
     }
 
     return next({
diff --git a/src/utils/signing.ts b/src/utils/signing.ts
index 85cea045..bc8ad9b4 100644
--- a/src/utils/signing.ts
+++ b/src/utils/signing.ts
@@ -1,12 +1,20 @@
-import { checkSignature, generateNonce, IWallet } from "@meshsdk/core";
+import {
+  checkSignature,
+  DataSignature,
+  generateNonce,
+  IWallet,
+} from "@meshsdk/core";
+
+export type SignRole = 0 | 2 | 3;
 
 export async function sign(
   payload: string,
   wallet: IWallet,
-  role: number = 0,
+  role: SignRole = 0,
   userAddress?: string,
-) {
-  let address;
+  dRepAddress?: string,
+): Promise<DataSignature> {
+  let address: string | undefined;
   switch (role) {
     case 0:
       address = userAddress;
@@ -15,13 +23,25 @@ export async function sign(
       address = (await wallet.getRewardAddresses())[0];
       break;
     case 3:
-      address = "dRep address from role 3.";
+      address = dRepAddress;
+      break;
+    default: {
+      const _exhaustive: never = role;
+      throw new Error(`sign: unsupported role ${String(_exhaustive)}`);
+    }
+  }
+
+  if (!address) {
+    throw new Error("sign: missing address for the chosen role");
   }
 
   const nonce = generateNonce(payload);
   const signature = await wallet.signData(payload, address);
-  //ToDo improve signing capabilities.
-  const result = await checkSignature(nonce, signature, address);
+  const verified = await checkSignature(nonce, signature, address);
+
+  if (!verified) {
+    throw new Error("Signature failed verification");
+  }
 
-  return true ? signature : undefined;
+  return signature;
 }