diff --git a/TODO.md b/TODO.md
index 1fca198..277bf49 100644
--- a/TODO.md
+++ b/TODO.md
@@ -12,6 +12,19 @@
 - [ ] **Per-project settings** — Deeper per-project configuration beyond current fields. Per-project theme override, per-project keybindings, per-project plugin enable/disable, per-project environment variables, per-project shell, per-project model preferences. Cascade: global → group → project (most specific wins).
 - [ ] **Custom editors (AI-augmented)** — Specialized editor panes for non-code content: image editor (crop, annotate, AI inpaint/upscale via stable diffusion API), video editor (trim, subtitle, AI transcription), audio editor (waveform, AI transcription/TTS), 3D viewer/editor (glTF/OBJ, AI mesh generation). Each as a ProjectBox tab, triggered by file extension. Evaluate: WebGL for 3D (blocked by WebKit2GTK — ties into Tauri vs WGPU decision), Canvas for 2D, Web Audio API for audio.
 
+## Electrobun Hardening (from Codex Audit #3)
+
+- [ ] **Durable event sequencing** — Monotonic message indexes per session, idempotent replay on reconnect, conflict-safe persistence. Prevents message loss during concurrent agent output. Useful for session replay/debugging.
+- [ ] **File-save conflict detection** — Track `mtime` + content hash before write. Atomic temp-file rename on save. Show conflict dialog if file changed externally between read and write. Prevents silent overwrites.
+- [ ] **Remote credential vault** — Secure storage for relay tokens (encrypted at rest). Auto-reconnect uses stored token without re-prompting. Integrates with system keyring when available, falls back to encrypted SQLite blob.
+- [ ] **Push-based task/relay updates** — Replace 5-second polling in TaskBoardTab and CommsTab with WebSocket push from btmsg/bttask backends. Request tokens or revision numbers for stale-response detection. Reduces CPU + network overhead.
+- [ ] **Sidecar backpressure guard** — Max NDJSON line size (10MB), max pending stdout buffer, max terminal paste chunk (64KB). Prevents memory exhaustion from buggy/malicious sidecar runners.
+- [ ] **Per-project retention controls** — Configurable session history retention (last N sessions, or N days). `untrackProject()` cleans up health store, agent store, search index. Prevents unbounded memory/disk growth.
+- [ ] **Channel membership/ACL enforcement** — btmsg group_id validation (sender + recipient same group), channel membership checks before send, auto-add creator on channel create. Prevents cross-tenant message leakage.
+- [ ] **Transport diagnostics panel** — Real-time view of PTY/relay/session persistence health. Dropped event counters, reconnection history, RPC latency histogram, buffer fill levels. Useful for debugging multi-machine setups.
+- [ ] **Plugin sandbox policy layer** — Per-plugin network egress control (allow/deny), CPU time quotas (terminate after N seconds), memory limits, filesystem access scope. Prevents malicious plugins from exfiltrating data or DoS.
+- [ ] **Multi-tool health tracking** — Replace `toolInFlight: boolean` with `toolsInFlight: number` counter. Accurate state machine for concurrent tool execution. Prevents false idle/stalled transitions during parallel tool use.
+
 ## Dual-Repo & Commercial
 
 - [ ] **CLA setup** — Configure CLA-assistant.io on community repo (DexterFromLab/agent-orchestrator) before accepting external PRs.