diff --git a/apps/ignis-server/server/plugins/headless-sync/auth.js b/apps/ignis-server/server/plugins/headless-sync/auth.js
index 88e66cc..3a96343 100644
--- a/apps/ignis-server/server/plugins/headless-sync/auth.js
+++ b/apps/ignis-server/server/plugins/headless-sync/auth.js
@@ -83,15 +83,23 @@ function isAuthenticated(dataDir) {
   return false;
 }
 
+function writeSecret(file, contents) {
+  fs.writeFileSync(file, contents, { encoding: "utf-8", mode: 0o600 });
+
+  try {
+    fs.chmodSync(file, 0o600);
+  } catch {}
+}
+
 function saveInternal(dataDir, tokenData) {
   const internalFile = getInternalTokenFile(dataDir);
   const dir = path.dirname(internalFile);
 
   if (!fs.existsSync(dir)) {
-    fs.mkdirSync(dir, { recursive: true });
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
   }
 
-  fs.writeFileSync(internalFile, JSON.stringify(tokenData, null, 2), "utf-8");
+  writeSecret(internalFile, JSON.stringify(tokenData, null, 2));
 }
 
 function syncToObCli(dataDir, token) {
@@ -101,10 +109,10 @@ function syncToObCli(dataDir, token) {
     const dir = path.dirname(obAuthFile);
 
     if (!fs.existsSync(dir)) {
-      fs.mkdirSync(dir, { recursive: true });
+      fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
     }
 
-    fs.writeFileSync(obAuthFile, token, "utf-8");
+    writeSecret(obAuthFile, token);
   } catch {}
 }
 
diff --git a/apps/ignis-server/server/plugins/headless-sync/sync-manager.js b/apps/ignis-server/server/plugins/headless-sync/sync-manager.js
index a89adeb..06e6b21 100644
--- a/apps/ignis-server/server/plugins/headless-sync/sync-manager.js
+++ b/apps/ignis-server/server/plugins/headless-sync/sync-manager.js
@@ -4,6 +4,7 @@ const { spawn } = require("child_process");
 const { spawnOb, runCommand } = require("./ob-cli");
 
 const MAX_LOG_ENTRIES = 200;
+const MAX_LOG_LINE = 4096;
 
 function killProcess(proc) {
   if (!proc) {
@@ -151,10 +152,13 @@ class SyncManager {
       const lines = data.toString().split("\n");
 
       for (const line of lines) {
-        if (line.trim()) {
-          this.addLog(state, line.trim());
+        const trimmed = line.trim();
+
+        if (trimmed) {
+          const capped = trimmed.slice(0, MAX_LOG_LINE);
+          this.addLog(state, capped);
           state.lastActivity = new Date().toISOString();
-          this.broadcaster.broadcastLog(vaultId, line.trim());
+          this.broadcaster.broadcastLog(vaultId, capped);
         }
       }
     });
@@ -302,7 +306,7 @@ class SyncManager {
   addLog(state, line) {
     state.logs.push({
       timestamp: new Date().toISOString(),
-      line,
+      line: line.slice(0, MAX_LOG_LINE),
     });
 
     if (state.logs.length > MAX_LOG_ENTRIES) {