diff --git a/CHANGELOG.md b/CHANGELOG.md
index 516fc58..666a029 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,29 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+- **Browser IPC hardening (SEC-01/02/03)** on the Named Pipe channel used by the browser
+  extension:
+  - **SEC-01** — removed the plaintext password fallback: an ECDH session is now mandatory and
+    the password is always AES-GCM encrypted; requests without a valid session are rejected with
+    `ecdh-session-required`.
+  - **SEC-02** — sessions are bound to the exact extension `clientId` that performed the ECDH
+    handshake, so a session cannot be reused by a different client even if its id leaks.
+  - **SEC-03** — sensitive password retrieval requires explicit user consent via a native dialog
+    ("Remember for this session", until the vault is locked). Consent and all ECDH sessions are
+    cleared on vault lock.
+  - Hardening: `unlock-vault` attempts over IPC are rate-limited (lockout after repeated
+    failures) and the number of concurrent ECDH sessions is capped.
+
+### Added
+- **Browser extension**: autofill success toast ("Credentials filled on {site}") and a visible
+  connection-status indicator ("Connected"/"Locked") in the popup header (6 languages).
+
+### Fixed
+- **Browser extension**: the popup no longer prompts for consent when it opens (consent applies
+  only to actual password retrieval); per-action request timeouts prevent spurious "PassKey is
+  not running" during slow operations such as consent or unlock.
+
 ## [2.0.0] - 2026-06-04
 
 ### Added
diff --git a/extensions/chrome/background.js b/extensions/chrome/background.js
index bb01206..facde3b 100644
--- a/extensions/chrome/background.js
+++ b/extensions/chrome/background.js
@@ -16,6 +16,16 @@ importScripts('lib/messages.js', 'lib/crypto.js');
 const NATIVE_HOST = 'com.passkey.host';
 const REQUEST_TIMEOUT_MS = 5000;
 
+// Some actions wait on a human (SEC-03 consent dialog) or a slow KDF (unlock) on the Desktop
+// side, so they need a longer timeout than the default request.
+const TIMEOUT_OVERRIDES = {
+  'get-credential-password': 120000, // may wait for the user's consent dialog
+  'unlock-vault': 30000,             // Argon2id KDF on the Desktop
+};
+function timeoutForAction(action) {
+  return TIMEOUT_OVERRIDES[action] ?? REQUEST_TIMEOUT_MS;
+}
+
 // ─── State (lost on service worker restart — re-established automatically) ────
 
 let port = null;
@@ -90,7 +100,7 @@ function sendNativeMessage(message) {
     const timeoutId = setTimeout(() => {
       pendingRequests.delete(message.requestId);
       reject(new Error('timeout'));
-    }, REQUEST_TIMEOUT_MS);
+    }, timeoutForAction(message.action));
 
     pendingRequests.set(message.requestId, { resolve, reject, timeoutId });
 
@@ -278,7 +288,7 @@ async function handleCopyCredential(credentialId) {
     // Desktop always returns an AES-GCM encrypted password tied to the ECDH session.
     // A missing nonce means no valid session — never accept a plaintext fallback.
     if (!resp.payload?.nonce || resp.payload.nonce.length === 0) {
-      return { success: false, error: 'no-session' };
+      return { success: false, error: 'ecdh-session-required' };
     }
     const password = await decryptPassword(sessionKey, resp.payload.nonce, resp.payload.encryptedPassword);
     return { success: true, password };
@@ -380,7 +390,7 @@ async function handleFillCredential(credentialId, username, tabId) {
     // Desktop always returns an AES-GCM encrypted password tied to the ECDH session.
     // A missing nonce means no valid session — never accept a plaintext fallback.
     if (!resp.payload?.nonce || resp.payload.nonce.length === 0) {
-      return { success: false, error: 'no-session' };
+      return { success: false, error: 'ecdh-session-required' };
     }
     const password = await decryptPassword(
       sessionKey,
diff --git a/extensions/chrome/lib/i18n.js b/extensions/chrome/lib/i18n.js
index cf492b6..74c62e1 100644
--- a/extensions/chrome/lib/i18n.js
+++ b/extensions/chrome/lib/i18n.js
@@ -54,6 +54,7 @@ const STRINGS = {
     // Feedback
     copied:              'Copiato!',
     copyError:           'Errore',
+    filledIn:            (site) => `Credenziali inserite in ${site}`,
     // Footer
     openApp:             'Apri PassKey',
   },
@@ -86,6 +87,7 @@ const STRINGS = {
     hasPassword:         'Password saved',
     copied:              'Copied!',
     copyError:           'Error',
+    filledIn:            (site) => `Credentials filled on ${site}`,
     openApp:             'Open PassKey',
   },
   fr: {
@@ -117,6 +119,7 @@ const STRINGS = {
     hasPassword:         'Mot de passe enregistré',
     copied:              'Copié !',
     copyError:           'Erreur',
+    filledIn:            (site) => `Identifiants saisis sur ${site}`,
     openApp:             'Ouvrir PassKey',
   },
   de: {
@@ -148,6 +151,7 @@ const STRINGS = {
     hasPassword:         'Passwort gespeichert',
     copied:              'Kopiert!',
     copyError:           'Fehler',
+    filledIn:            (site) => `Anmeldedaten in ${site} eingetragen`,
     openApp:             'PassKey öffnen',
   },
   es: {
@@ -179,6 +183,7 @@ const STRINGS = {
     hasPassword:         'Contraseña guardada',
     copied:              '¡Copiado!',
     copyError:           'Error',
+    filledIn:            (site) => `Credenciales rellenadas en ${site}`,
     openApp:             'Abrir PassKey',
   },
   pt: {
@@ -210,6 +215,7 @@ const STRINGS = {
     hasPassword:         'Senha guardada',
     copied:              'Copiado!',
     copyError:           'Erro',
+    filledIn:            (site) => `Credenciais preenchidas em ${site}`,
     openApp:             'Abrir PassKey',
   },
 };
diff --git a/extensions/chrome/popup/popup.css b/extensions/chrome/popup/popup.css
index a74b94c..bc3c3c0 100644
--- a/extensions/chrome/popup/popup.css
+++ b/extensions/chrome/popup/popup.css
@@ -110,6 +110,13 @@ body {
 .pk-status.locked       { background: var(--pk-warning); }
 .pk-status.disconnected { background: var(--pk-error); }
 
+/* Status text (T6.3) — visible connection status next to the dot */
+.pk-status-text {
+  font-size: 11px;
+  color: var(--pk-text-2);
+  white-space: nowrap;
+}
+
 /* Domain badge */
 .pk-domain {
   display: flex;
@@ -460,3 +467,21 @@ body {
   to   { transform: rotate(360deg); }
 }
 .pk-spin { animation: pk-spin 0.7s linear infinite; display: block; }
+
+/* ── Autofill success toast (T6.2) ──────────────────────────────────────── */
+.pk-toast {
+  position: fixed;
+  left: 50%;
+  bottom: 52px;
+  transform: translateX(-50%);
+  max-width: 320px;
+  padding: 8px 14px;
+  border-radius: 6px;
+  background: var(--pk-success);
+  color: #fff;
+  font-size: 12px;
+  font-weight: 500;
+  text-align: center;
+  box-shadow: 0 2px 8px rgba(0,0,0,0.25);
+  z-index: 10;
+}
diff --git a/extensions/chrome/popup/popup.html b/extensions/chrome/popup/popup.html
index b85d287..47d1490 100644
--- a/extensions/chrome/popup/popup.html
+++ b/extensions/chrome/popup/popup.html
@@ -12,7 +12,8 @@
   <header class="pk-header">
     <img src="../icons/icon-32.png" alt="" class="pk-logo" aria-hidden="true">
     <span class="pk-title">PassKey</span>
-    <div id="status-dot" class="pk-status" role="status" aria-live="polite" aria-label=""></div>
+    <span id="status-text" class="pk-status-text" role="status" aria-live="polite"></span>
+    <div id="status-dot" class="pk-status" aria-hidden="true"></div>
   </header>
 
   <!-- Domain badge (shown when valid HTTP URL) -->
@@ -124,6 +125,9 @@ <h2 id="empty-title" class="pk-state-title pk-state-title--sm"></h2>
     <ul id="credentials-list" class="pk-cred-list" role="list"></ul>
   </div>
 
+  <!-- Autofill success toast (T6.2) -->
+  <div id="pk-toast" class="pk-toast" role="status" aria-live="polite" hidden></div>
+
   <!-- Footer -->
   <footer class="pk-footer">
     <button id="btn-open-app" class="pk-footer-link" type="button"></button>
diff --git a/extensions/chrome/popup/popup.js b/extensions/chrome/popup/popup.js
index 37f755d..b8a31d5 100644
--- a/extensions/chrome/popup/popup.js
+++ b/extensions/chrome/popup/popup.js
@@ -73,9 +73,11 @@ let isHttpUrl       = false;
 const $ = id => document.getElementById(id);
 
 const statusDot         = $('status-dot');
+const statusText        = $('status-text');
 const domainBadge       = $('domain-badge');
 const domainText        = $('domain-text');
 const copyFeedback      = $('copy-feedback');
+const pkToast           = $('pk-toast');
 const loadingText       = $('loading-text');
 const disconnectedTitle = $('disconnected-title');
 const disconnectedSub   = $('disconnected-sub');
@@ -148,7 +150,10 @@ function setState(state) {
  */
 function setStatus(type) {
   statusDot.className = `pk-status ${type}`;
-  statusDot.setAttribute('aria-label', window.t[`status${type.charAt(0).toUpperCase()+type.slice(1)}`] || type);
+  const cap = type ? type.charAt(0).toUpperCase() + type.slice(1) : 'Connecting';
+  const label = window.t[`status${cap}`] || '';
+  statusDot.setAttribute('aria-label', label);
+  if (statusText) statusText.textContent = label;
 }
 
 // ─── Main init ────────────────────────────────────────────────────────────────
@@ -511,19 +516,51 @@ async function onFill(cred, btn) {
     setSvgIcon(iconTarget, SPIN_SVG);
     btn.disabled = true;
   }
+
+  let ok = false;
+  let site = '';
   try {
     // Re-query active tab at fill time to avoid stale tab ID (user may have
     // switched tabs without closing the popup).
     const [activeTab] = await chrome.tabs.query({ active: true, currentWindow: true });
     if (!activeTab?.id) { window.close(); return; }
-    await chrome.runtime.sendMessage({
+    site = domainOf(activeTab.url);
+    const resp = await chrome.runtime.sendMessage({
       type: 'fill-credential',
       id: cred.id,
       username: cred.username,
       tabId: activeTab.id
     });
+    ok = resp?.success === true;
   } catch { /* ignore */ }
-  window.close();
+
+  // T6.2: show a success toast briefly, then close. On failure close immediately.
+  if (ok) {
+    showToast(window.t.filledIn(site));
+    setTimeout(() => window.close(), 1200);
+  } else {
+    window.close();
+  }
+}
+
+/**
+ * Extracts the hostname from a URL (strips a leading "www."), or "" for non-URL inputs.
+ *
+ * @param {string|undefined} url - The URL to parse.
+ * @returns {string} The hostname without "www.", or an empty string.
+ */
+function domainOf(url) {
+  try { return new URL(url).hostname.replace(/^www\./, ''); } catch { return ''; }
+}
+
+/**
+ * Shows the autofill success toast. The popup closes shortly after, so no auto-hide is needed.
+ *
+ * @param {string} msg - Localized message to display.
+ */
+function showToast(msg) {
+  pkToast.textContent = msg;
+  pkToast.hidden = false;
 }
 
 /**
diff --git a/extensions/firefox/background.js b/extensions/firefox/background.js
index 05f64b8..638e4cf 100644
--- a/extensions/firefox/background.js
+++ b/extensions/firefox/background.js
@@ -16,6 +16,16 @@
 const NATIVE_HOST = 'com.passkey.host';
 const REQUEST_TIMEOUT_MS = 5000;
 
+// Some actions wait on a human (SEC-03 consent dialog) or a slow KDF (unlock) on the Desktop
+// side, so they need a longer timeout than the default request.
+const TIMEOUT_OVERRIDES = {
+  'get-credential-password': 120000, // may wait for the user's consent dialog
+  'unlock-vault': 30000,             // Argon2id KDF on the Desktop
+};
+function timeoutForAction(action) {
+  return TIMEOUT_OVERRIDES[action] ?? REQUEST_TIMEOUT_MS;
+}
+
 // ─── State (lost on event page unload — re-established automatically) ─────────
 
 let port = null;
@@ -93,7 +103,7 @@ function sendNativeMessage(message) {
     const timeoutId = setTimeout(() => {
       pendingRequests.delete(message.requestId);
       reject(new Error('timeout'));
-    }, REQUEST_TIMEOUT_MS);
+    }, timeoutForAction(message.action));
 
     pendingRequests.set(message.requestId, { resolve, reject, timeoutId });
 
@@ -281,7 +291,7 @@ async function handleCopyCredential(credentialId) {
     // Desktop always returns an AES-GCM encrypted password tied to the ECDH session.
     // A missing nonce means no valid session — never accept a plaintext fallback.
     if (!resp.payload?.nonce || resp.payload.nonce.length === 0) {
-      return { success: false, error: 'no-session' };
+      return { success: false, error: 'ecdh-session-required' };
     }
     const password = await decryptPassword(sessionKey, resp.payload.nonce, resp.payload.encryptedPassword);
     return { success: true, password };
@@ -383,7 +393,7 @@ async function handleFillCredential(credentialId, username, tabId) {
     // Desktop always returns an AES-GCM encrypted password tied to the ECDH session.
     // A missing nonce means no valid session — never accept a plaintext fallback.
     if (!resp.payload?.nonce || resp.payload.nonce.length === 0) {
-      return { success: false, error: 'no-session' };
+      return { success: false, error: 'ecdh-session-required' };
     }
     const password = await decryptPassword(
       sessionKey,
diff --git a/extensions/firefox/lib/i18n.js b/extensions/firefox/lib/i18n.js
index cf492b6..74c62e1 100644
--- a/extensions/firefox/lib/i18n.js
+++ b/extensions/firefox/lib/i18n.js
@@ -54,6 +54,7 @@ const STRINGS = {
     // Feedback
     copied:              'Copiato!',
     copyError:           'Errore',
+    filledIn:            (site) => `Credenziali inserite in ${site}`,
     // Footer
     openApp:             'Apri PassKey',
   },
@@ -86,6 +87,7 @@ const STRINGS = {
     hasPassword:         'Password saved',
     copied:              'Copied!',
     copyError:           'Error',
+    filledIn:            (site) => `Credentials filled on ${site}`,
     openApp:             'Open PassKey',
   },
   fr: {
@@ -117,6 +119,7 @@ const STRINGS = {
     hasPassword:         'Mot de passe enregistré',
     copied:              'Copié !',
     copyError:           'Erreur',
+    filledIn:            (site) => `Identifiants saisis sur ${site}`,
     openApp:             'Ouvrir PassKey',
   },
   de: {
@@ -148,6 +151,7 @@ const STRINGS = {
     hasPassword:         'Passwort gespeichert',
     copied:              'Kopiert!',
     copyError:           'Fehler',
+    filledIn:            (site) => `Anmeldedaten in ${site} eingetragen`,
     openApp:             'PassKey öffnen',
   },
   es: {
@@ -179,6 +183,7 @@ const STRINGS = {
     hasPassword:         'Contraseña guardada',
     copied:              '¡Copiado!',
     copyError:           'Error',
+    filledIn:            (site) => `Credenciales rellenadas en ${site}`,
     openApp:             'Abrir PassKey',
   },
   pt: {
@@ -210,6 +215,7 @@ const STRINGS = {
     hasPassword:         'Senha guardada',
     copied:              'Copiado!',
     copyError:           'Erro',
+    filledIn:            (site) => `Credenciais preenchidas em ${site}`,
     openApp:             'Abrir PassKey',
   },
 };
diff --git a/extensions/firefox/popup/popup.css b/extensions/firefox/popup/popup.css
index a74b94c..bc3c3c0 100644
--- a/extensions/firefox/popup/popup.css
+++ b/extensions/firefox/popup/popup.css
@@ -110,6 +110,13 @@ body {
 .pk-status.locked       { background: var(--pk-warning); }
 .pk-status.disconnected { background: var(--pk-error); }
 
+/* Status text (T6.3) — visible connection status next to the dot */
+.pk-status-text {
+  font-size: 11px;
+  color: var(--pk-text-2);
+  white-space: nowrap;
+}
+
 /* Domain badge */
 .pk-domain {
   display: flex;
@@ -460,3 +467,21 @@ body {
   to   { transform: rotate(360deg); }
 }
 .pk-spin { animation: pk-spin 0.7s linear infinite; display: block; }
+
+/* ── Autofill success toast (T6.2) ──────────────────────────────────────── */
+.pk-toast {
+  position: fixed;
+  left: 50%;
+  bottom: 52px;
+  transform: translateX(-50%);
+  max-width: 320px;
+  padding: 8px 14px;
+  border-radius: 6px;
+  background: var(--pk-success);
+  color: #fff;
+  font-size: 12px;
+  font-weight: 500;
+  text-align: center;
+  box-shadow: 0 2px 8px rgba(0,0,0,0.25);
+  z-index: 10;
+}
diff --git a/extensions/firefox/popup/popup.html b/extensions/firefox/popup/popup.html
index b85d287..47d1490 100644
--- a/extensions/firefox/popup/popup.html
+++ b/extensions/firefox/popup/popup.html
@@ -12,7 +12,8 @@
   <header class="pk-header">
     <img src="../icons/icon-32.png" alt="" class="pk-logo" aria-hidden="true">
     <span class="pk-title">PassKey</span>
-    <div id="status-dot" class="pk-status" role="status" aria-live="polite" aria-label=""></div>
+    <span id="status-text" class="pk-status-text" role="status" aria-live="polite"></span>
+    <div id="status-dot" class="pk-status" aria-hidden="true"></div>
   </header>
 
   <!-- Domain badge (shown when valid HTTP URL) -->
@@ -124,6 +125,9 @@ <h2 id="empty-title" class="pk-state-title pk-state-title--sm"></h2>
     <ul id="credentials-list" class="pk-cred-list" role="list"></ul>
   </div>
 
+  <!-- Autofill success toast (T6.2) -->
+  <div id="pk-toast" class="pk-toast" role="status" aria-live="polite" hidden></div>
+
   <!-- Footer -->
   <footer class="pk-footer">
     <button id="btn-open-app" class="pk-footer-link" type="button"></button>
diff --git a/extensions/firefox/popup/popup.js b/extensions/firefox/popup/popup.js
index 5cf1d62..2bcb6ce 100644
--- a/extensions/firefox/popup/popup.js
+++ b/extensions/firefox/popup/popup.js
@@ -74,9 +74,11 @@ let isHttpUrl       = false;
 const $ = id => document.getElementById(id);
 
 const statusDot         = $('status-dot');
+const statusText        = $('status-text');
 const domainBadge       = $('domain-badge');
 const domainText        = $('domain-text');
 const copyFeedback      = $('copy-feedback');
+const pkToast           = $('pk-toast');
 const loadingText       = $('loading-text');
 const disconnectedTitle = $('disconnected-title');
 const disconnectedSub   = $('disconnected-sub');
@@ -147,7 +149,10 @@ function setState(state) {
  */
 function setStatus(type) {
   statusDot.className = `pk-status ${type}`;
-  statusDot.setAttribute('aria-label', window.t[`status${type.charAt(0).toUpperCase()+type.slice(1)}`] || type);
+  const cap = type ? type.charAt(0).toUpperCase() + type.slice(1) : 'Connecting';
+  const label = window.t[`status${cap}`] || '';
+  statusDot.setAttribute('aria-label', label);
+  if (statusText) statusText.textContent = label;
 }
 
 // ─── Main init ────────────────────────────────────────────────────────────────
@@ -510,17 +515,49 @@ async function onFill(cred, btn) {
     setSvgIcon(iconTarget, SPIN_SVG);
     btn.disabled = true;
   }
+
+  let ok = false;
+  let site = '';
   try {
     const [activeTab] = await browser.tabs.query({ active: true, currentWindow: true });
     if (!activeTab?.id) { window.close(); return; }
-    await browser.runtime.sendMessage({
+    site = domainOf(activeTab.url);
+    const resp = await browser.runtime.sendMessage({
       type: 'fill-credential',
       id: cred.id,
       username: cred.username,
       tabId: activeTab.id
     });
+    ok = resp?.success === true;
   } catch { /* ignore */ }
-  window.close();
+
+  // T6.2: show a success toast briefly, then close. On failure close immediately.
+  if (ok) {
+    showToast(window.t.filledIn(site));
+    setTimeout(() => window.close(), 1200);
+  } else {
+    window.close();
+  }
+}
+
+/**
+ * Extracts the hostname from a URL (strips a leading "www."), or "" for non-URL inputs.
+ *
+ * @param {string|undefined} url - The URL to parse.
+ * @returns {string} The hostname without "www.", or an empty string.
+ */
+function domainOf(url) {
+  try { return new URL(url).hostname.replace(/^www\./, ''); } catch { return ''; }
+}
+
+/**
+ * Shows the autofill success toast. The popup closes shortly after, so no auto-hide is needed.
+ *
+ * @param {string} msg - Localized message to display.
+ */
+function showToast(msg) {
+  pkToast.textContent = msg;
+  pkToast.hidden = false;
 }
 
 /**
diff --git a/scripts/ipc-security-test.ps1 b/scripts/ipc-security-test.ps1
new file mode 100644
index 0000000..c941738
--- /dev/null
+++ b/scripts/ipc-security-test.ps1
@@ -0,0 +1,348 @@
+#requires -Version 7.0
+<#
+.SYNOPSIS
+    Harness di sicurezza per il canale IPC Named Pipe di PassKey (\\.\pipe\PassKey.IPC).
+    Riproduce e verifica le 3 criticità SEC-01/02/03 del Cluster 6 + hardening collaterale.
+
+.DESCRIPTION
+    Questo è il "cliente d'attacco" della Fase A / Fase E della checklist di sicurezza
+    (piano-revisione-correzione-miglioramento.md).
+
+    - FASE A (baseline): eseguito su un Desktop VULNERABILE → gli attacchi RIESCONO.
+    - FASE E (verifica): eseguito sul Desktop CORRETTO → gli attacchi DEVONO fallire.
+
+    Parla il protocollo wire reale del server (BrowserIpcService.cs):
+      * frame = [4 byte length little-endian][JSON UTF-8]
+      * UNA richiesta per connessione (il server chiude il pipe dopo ogni risposta)
+      * envelope camelCase: version, action, requestId, clientId, payload
+      * handshake ECDH P-256 -> HKDF-SHA256 (info "PassKey-IPC-Session") -> AES-256-GCM
+
+    REQUISITI PER L'ESECUZIONE (parte del gate di test utente):
+      * PassKey Desktop in esecuzione.
+      * Vault SBLOCCATO per i test SEC-01/02/03 e l'happy-path.
+      * Esegui anche una passata con vault BLOCCATO per verificare il fail-safe 'vault-locked'.
+
+    NON stampa MAI password in chiaro: i segreti recuperati sono mascherati (lunghezza + ****).
+
+.PARAMETER PipeName
+    Nome del pipe (default: PassKey.IPC).
+
+.PARAMETER Url
+    URL usato per il test get-credentials (default: https://example.com).
+
+.EXAMPLE
+    pwsh -NoProfile -File .\scripts\ipc-security-test.ps1
+#>
+
+[CmdletBinding()]
+param(
+    [string]$PipeName = 'PassKey.IPC',
+    [string]$Url      = 'https://example.com'
+)
+
+Set-StrictMode -Version Latest
+$ErrorActionPreference = 'Stop'
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Risultati
+# ─────────────────────────────────────────────────────────────────────────────
+$script:Results = [System.Collections.Generic.List[object]]::new()
+
+function Add-Result {
+    param(
+        [Parameter(Mandatory)] [string]$Id,
+        [Parameter(Mandatory)] [string]$Name,
+        [Parameter(Mandatory)] [ValidateSet('SECURE', 'VULNERABLE', 'INFO', 'SKIP', 'ERROR')] [string]$Verdict,
+        [string]$Detail = ''
+    )
+    $script:Results.Add([pscustomobject]@{ Id = $Id; Name = $Name; Verdict = $Verdict; Detail = $Detail })
+    $color = switch ($Verdict) {
+        'SECURE'     { 'Green' }
+        'VULNERABLE' { 'Red' }
+        'ERROR'      { 'Red' }
+        'SKIP'       { 'DarkYellow' }
+        default      { 'Gray' }
+    }
+    Write-Host ("  [{0,-10}] {1} — {2} {3}" -f $Verdict, $Id, $Name, ($(if ($Detail) { "→ $Detail" } else { '' }))) -ForegroundColor $color
+}
+
+function Mask-Secret {
+    param([string]$s)
+    if ([string]::IsNullOrEmpty($s)) { return '(vuota)' }
+    return ("len={0} «{1}****»" -f $s.Length, ($s.Substring(0, [Math]::Min(2, $s.Length))))
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Trasporto: una richiesta per connessione (il server chiude dopo ogni risposta)
+# ─────────────────────────────────────────────────────────────────────────────
+function Read-Exact {
+    param([System.IO.Stream]$Stream, [int]$Count)
+    $buf = New-Object byte[] $Count
+    $off = 0
+    while ($off -lt $Count) {
+        $n = $Stream.Read($buf, $off, $Count - $off)
+        if ($n -le 0) { throw "Stream chiuso dopo $off/$Count byte." }
+        $off += $n
+    }
+    return ,$buf
+}
+
+function Invoke-Ipc {
+    <# Apre una connessione, invia UN envelope, legge UNA risposta, chiude. #>
+    param(
+        [Parameter(Mandatory)] [string]$Action,
+        $Payload    = $null,
+        [string]$ClientId = 'pk-sec-test',
+        [int]$TimeoutMs   = 5000
+    )
+    if (-not [BitConverter]::IsLittleEndian) { throw "Piattaforma big-endian non supportata." }
+
+    $envelope = [ordered]@{
+        version   = 1
+        action    = $Action
+        requestId = [guid]::NewGuid().ToString()
+        clientId  = $ClientId
+        payload   = $Payload
+    }
+    $json  = $envelope | ConvertTo-Json -Depth 8 -Compress
+    $bytes = [System.Text.Encoding]::UTF8.GetBytes($json)
+
+    $pipe = [System.IO.Pipes.NamedPipeClientStream]::new('.', $PipeName, [System.IO.Pipes.PipeDirection]::InOut)
+    try {
+        $pipe.Connect($TimeoutMs)
+        $len = [BitConverter]::GetBytes([int]$bytes.Length)   # little-endian su Windows
+        $pipe.Write($len, 0, 4)
+        $pipe.Write($bytes, 0, $bytes.Length)
+        $pipe.Flush()
+
+        $lenBuf = Read-Exact -Stream $pipe -Count 4
+        $respLen = [BitConverter]::ToInt32($lenBuf, 0)
+        if ($respLen -le 0 -or $respLen -gt 1MB) { throw "Lunghezza risposta non valida: $respLen" }
+        $respBuf = Read-Exact -Stream $pipe -Count $respLen
+        $respJson = [System.Text.Encoding]::UTF8.GetString($respBuf)
+        return $respJson | ConvertFrom-Json
+    }
+    finally {
+        $pipe.Dispose()
+    }
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Handshake ECDH legittimo (come l'estensione reale)
+# ─────────────────────────────────────────────────────────────────────────────
+function New-EcdhSession {
+    param([string]$ClientId = 'pk-sec-test')
+
+    $ecdh = [System.Security.Cryptography.ECDiffieHellman]::Create([System.Security.Cryptography.ECCurve+NamedCurves]::nistP256)
+    try {
+        $spki   = $ecdh.ExportSubjectPublicKeyInfo()
+        $pubB64 = [Convert]::ToBase64String($spki)
+
+        $resp = Invoke-Ipc -Action 'exchange-keys' -Payload @{ publicKey = $pubB64 } -ClientId $ClientId
+        if (-not $resp.success) { throw "exchange-keys fallito: $($resp.error)" }
+
+        $serverSpki  = [Convert]::FromBase64String($resp.payload.publicKey)
+        $serverEcdh  = [System.Security.Cryptography.ECDiffieHellman]::Create()
+        $br = 0
+        $serverEcdh.ImportSubjectPublicKeyInfo($serverSpki, [ref]$br)
+
+        $shared = $ecdh.DeriveRawSecretAgreement($serverEcdh.PublicKey)
+        $info   = [System.Text.Encoding]::UTF8.GetBytes('PassKey-IPC-Session')
+        $key    = [System.Security.Cryptography.HKDF]::DeriveKey(
+            [System.Security.Cryptography.HashAlgorithmName]::SHA256, $shared, 32, $null, $info)
+
+        return [pscustomobject]@{ SessionId = $resp.payload.sessionId; Key = $key; ClientId = $ClientId }
+    }
+    finally {
+        $ecdh.Dispose()
+    }
+}
+
+function Unprotect-Password {
+    param([byte[]]$Key, [string]$NonceB64, [string]$EncB64)
+    $enc   = [Convert]::FromBase64String($EncB64)
+    $nonce = [Convert]::FromBase64String($NonceB64)
+    $tagLen = 16
+    if ($enc.Length -lt $tagLen) { throw "Ciphertext troppo corto." }
+    $ct  = $enc[0..($enc.Length - $tagLen - 1)]
+    $tag = $enc[($enc.Length - $tagLen)..($enc.Length - 1)]
+    $pt  = New-Object byte[] $ct.Length
+    $gcm = [System.Security.Cryptography.AesGcm]::new($Key, 16)
+    try {
+        $gcm.Decrypt($nonce, $ct, $tag, $pt)
+        return [System.Text.Encoding]::UTF8.GetString($pt)
+    }
+    finally { $gcm.Dispose() }
+}
+
+# ═════════════════════════════════════════════════════════════════════════════
+# ESECUZIONE
+# ═════════════════════════════════════════════════════════════════════════════
+Write-Host "`n=== PassKey IPC Security Test — pipe \\.\pipe\$PipeName ===`n" -ForegroundColor Cyan
+
+# --- T0: connettività + stato vault -----------------------------------------
+$unlocked = $false
+try {
+    $status = Invoke-Ipc -Action 'get-status'
+    if ($status.success) {
+        $unlocked = [bool]$status.payload.unlocked
+        Add-Result -Id 'T0' -Name 'Connettività + get-status' -Verdict 'INFO' `
+            -Detail ("unlocked={0}, entries={1}" -f $unlocked, $status.payload.entryCount)
+    } else {
+        Add-Result -Id 'T0' -Name 'Connettività' -Verdict 'ERROR' -Detail "get-status error: $($status.error)"
+    }
+}
+catch {
+    Add-Result -Id 'T0' -Name 'Connettività' -Verdict 'ERROR' -Detail "Desktop non in esecuzione? $($_.Exception.Message)"
+    Write-Host "`nImpossibile connettersi al pipe. Avvia PassKey Desktop e riprova.`n" -ForegroundColor Red
+    return
+}
+
+# --- Sessione legittima + recupero di un id credenziale ----------------------
+$legit = $null
+$sampleId = $null
+if ($unlocked) {
+    try {
+        $legit = New-EcdhSession -ClientId 'pk-legit'
+        Add-Result -Id 'S0' -Name 'Handshake ECDH legittimo' -Verdict 'INFO' -Detail "sessionId ok"
+
+        # get-all-credentials con sessione legittima: dopo SEC-03 questo richiede CONSENSO (dialog).
+        $all = Invoke-Ipc -Action 'get-all-credentials' -ClientId 'pk-legit'
+        if ($all.success -and $all.payload.credentials.Count -gt 0) {
+            $sampleId = $all.payload.credentials[0].id
+        }
+    }
+    catch {
+        Add-Result -Id 'S0' -Name 'Handshake/lista' -Verdict 'ERROR' -Detail $_.Exception.Message
+    }
+} else {
+    Add-Result -Id 'S0' -Name 'Setup test' -Verdict 'SKIP' -Detail 'Vault bloccato: vedi sezione fail-safe in fondo'
+}
+
+# --- SEC-01: password senza sessione ECDH ------------------------------------
+# Atteso SICURO: error 'ecdh-session-required' e NESSUNA password.
+# VULNERABILE: ritorna payload con password (in chiaro o comunque servita).
+if ($unlocked -and $sampleId) {
+    try {
+        $r = Invoke-Ipc -Action 'get-credential-password' -Payload @{ id = $sampleId } -ClientId 'pk-attacker'
+        if (-not $r.success -and $r.error -eq 'ecdh-session-required') {
+            Add-Result -Id 'SEC-01' -Name 'Plaintext fallback senza handshake' -Verdict 'SECURE' -Detail "error=$($r.error)"
+        }
+        elseif (-not $r.success -and $r.error -eq 'no-session') {
+            Add-Result -Id 'SEC-01' -Name 'Plaintext fallback senza handshake' -Verdict 'SECURE' `
+                -Detail "error=no-session (da allineare a 'ecdh-session-required')"
+        }
+        elseif ($r.success -and $r.payload.encryptedPassword) {
+            $nonceEmpty = [string]::IsNullOrEmpty($r.payload.nonce)
+            Add-Result -Id 'SEC-01' -Name 'Plaintext fallback senza handshake' -Verdict 'VULNERABLE' `
+                -Detail ("password SERVITA senza sessione (nonce vuoto={0})" -f $nonceEmpty)
+        }
+        else {
+            Add-Result -Id 'SEC-01' -Name 'Plaintext fallback senza handshake' -Verdict 'INFO' -Detail "risposta inattesa: success=$($r.success) error=$($r.error)"
+        }
+    }
+    catch { Add-Result -Id 'SEC-01' -Name 'Plaintext fallback' -Verdict 'ERROR' -Detail $_.Exception.Message }
+} else {
+    Add-Result -Id 'SEC-01' -Name 'Plaintext fallback' -Verdict 'SKIP' -Detail 'serve vault sbloccato + almeno 1 credenziale'
+}
+
+# --- SEC-02: dirottamento sessione (clientId non corrispondente) -------------
+# Usa il sessionId della sessione legittima ma con un clientId diverso.
+# Atteso SICURO: rifiutata (la sessione è legata al clientId dell'handshake).
+# VULNERABILE: la richiesta viene servita (binding assente o solo via sessionId).
+if ($unlocked -and $sampleId -and $legit) {
+    try {
+        $r = Invoke-Ipc -Action 'get-credential-password' `
+            -Payload @{ id = $sampleId; sessionId = $legit.SessionId } -ClientId 'pk-hijacker'
+        if (-not $r.success) {
+            Add-Result -Id 'SEC-02' -Name 'Hijack sessione via clientId errato' -Verdict 'SECURE' -Detail "error=$($r.error)"
+        }
+        elseif ($r.success -and $r.payload.encryptedPassword) {
+            Add-Result -Id 'SEC-02' -Name 'Hijack sessione via clientId errato' -Verdict 'VULNERABLE' `
+                -Detail "il server ha servito la password a un clientId diverso da quello dell'handshake"
+        }
+        else {
+            Add-Result -Id 'SEC-02' -Name 'Hijack sessione' -Verdict 'INFO' -Detail "risposta inattesa"
+        }
+    }
+    catch { Add-Result -Id 'SEC-02' -Name 'Hijack sessione' -Verdict 'ERROR' -Detail $_.Exception.Message }
+} else {
+    Add-Result -Id 'SEC-02' -Name 'Hijack sessione' -Verdict 'SKIP' -Detail 'serve setup completo'
+}
+
+# --- SEC-03: consenso — ora SOLO su get-credential-password ------------------
+# Design corrente: get-all-credentials NON chiede consenso (espone solo metadati:
+# titoli/username, nessuna password) → restituisce subito = comportamento ATTESO.
+# Il consenso vero è verificato dal test FUNC (get-credential-password → dialog sul Desktop).
+if ($unlocked -and $legit) {
+    try {
+        $sw = [System.Diagnostics.Stopwatch]::StartNew()
+        $r  = Invoke-Ipc -Action 'get-all-credentials' -ClientId 'pk-legit'
+        $sw.Stop()
+        if ($r.success) {
+            Add-Result -Id 'SEC-03' -Name 'get-all-credentials senza prompt (atteso)' -Verdict 'SECURE' `
+                -Detail ("metadati restituiti in {0}ms, nessun dialog — consenso spostato su copia/compila password" -f $sw.ElapsedMilliseconds)
+        }
+        else {
+            Add-Result -Id 'SEC-03' -Name 'get-all-credentials' -Verdict 'INFO' -Detail "success=$($r.success) error=$($r.error)"
+        }
+    }
+    catch { Add-Result -Id 'SEC-03' -Name 'get-all-credentials' -Verdict 'ERROR' -Detail $_.Exception.Message }
+} else {
+    Add-Result -Id 'SEC-03' -Name 'get-all-credentials' -Verdict 'SKIP' -Detail 'serve vault sbloccato'
+}
+
+# --- FUNC + SEC-03 consenso: happy-path cifrato CON dialog di consenso --------
+# Sessione valida + clientId corrispondente → supera i controlli SEC-01/02 e arriva
+# al consenso SEC-03 → sul Desktop compare il dialog: clicca CONSENTI per il decrypt,
+# oppure NEGA per verificare che non esca nulla (error=consent-denied).
+if ($unlocked -and $sampleId -and $legit) {
+    Write-Host "  [FUNC/SEC-03] osserva il Desktop: comparira' il dialog di consenso → clicca CONSENTI" -ForegroundColor Yellow
+    try {
+        $r = Invoke-Ipc -Action 'get-credential-password' `
+            -Payload @{ id = $sampleId; sessionId = $legit.SessionId } -ClientId $legit.ClientId -TimeoutMs 120000
+        if ($r.success -and $r.payload.nonce) {
+            $pw = Unprotect-Password -Key $legit.Key -NonceB64 $r.payload.nonce -EncB64 $r.payload.encryptedPassword
+            Add-Result -Id 'FUNC' -Name 'Happy-path cifrato (consenso → decrypt OK)' -Verdict 'INFO' -Detail (Mask-Secret $pw)
+        }
+        elseif (-not $r.success) {
+            Add-Result -Id 'FUNC' -Name 'Happy-path cifrato' -Verdict 'INFO' -Detail "error=$($r.error) (se hai cliccato NEGA, 'consent-denied' è atteso)"
+        }
+        else {
+            Add-Result -Id 'FUNC' -Name 'Happy-path cifrato' -Verdict 'INFO' -Detail "nonce assente: verificare cifratura"
+        }
+    }
+    catch { Add-Result -Id 'FUNC' -Name 'Happy-path cifrato' -Verdict 'ERROR' -Detail $_.Exception.Message }
+}
+
+# --- Fail-safe: comportamento a vault BLOCCATO -------------------------------
+if (-not $unlocked) {
+    try {
+        $r = Invoke-Ipc -Action 'get-all-credentials' -ClientId 'pk-locked'
+        if (-not $r.success -and $r.error -eq 'vault-locked') {
+            Add-Result -Id 'LOCK' -Name 'Fail-safe vault bloccato' -Verdict 'SECURE' -Detail "error=vault-locked"
+        } else {
+            Add-Result -Id 'LOCK' -Name 'Fail-safe vault bloccato' -Verdict 'VULNERABLE' -Detail "success=$($r.success) error=$($r.error)"
+        }
+    }
+    catch { Add-Result -Id 'LOCK' -Name 'Fail-safe vault bloccato' -Verdict 'ERROR' -Detail $_.Exception.Message }
+}
+
+# ─────────────────────────────────────────────────────────────────────────────
+# Riepilogo
+# ─────────────────────────────────────────────────────────────────────────────
+Write-Host "`n=== Riepilogo ===" -ForegroundColor Cyan
+$script:Results | Format-Table -AutoSize Id, Verdict, Name, Detail | Out-Host
+
+$vuln = @($script:Results | Where-Object Verdict -eq 'VULNERABLE')
+$err  = @($script:Results | Where-Object Verdict -eq 'ERROR')
+if ($vuln.Count -gt 0) {
+    Write-Host ("ATTENZIONE: {0} test VULNERABLE. Le falle NON sono chiuse." -f $vuln.Count) -ForegroundColor Red
+    exit 2
+} elseif ($err.Count -gt 0) {
+    Write-Host ("{0} errori di esecuzione: rivedere setup (app avviata? vault sbloccato?)." -f $err.Count) -ForegroundColor DarkYellow
+    exit 1
+} else {
+    Write-Host "Nessun test VULNERABLE. (Conferma manualmente il dialog SEC-03 e l'happy-path estensione.)" -ForegroundColor Green
+    exit 0
+}
diff --git a/src/PassKey.Desktop/Services/BrowserIpcService.cs b/src/PassKey.Desktop/Services/BrowserIpcService.cs
index 925ed73..a24d150 100644
--- a/src/PassKey.Desktop/Services/BrowserIpcService.cs
+++ b/src/PassKey.Desktop/Services/BrowserIpcService.cs
@@ -7,6 +7,9 @@
 using System.Text.Json;
 using PassKey.Core.Constants;
 using PassKey.Core.Services;
+using Microsoft.UI.Xaml;
+using Microsoft.UI.Xaml.Controls;
+using Microsoft.Windows.ApplicationModel.Resources;
 
 namespace PassKey.Desktop.Services;
 
@@ -50,9 +53,16 @@ internal sealed class BrowserIpcService : IBrowserIpcService
 
     private readonly IVaultStateService _vaultState;
     private readonly ICryptoService _crypto;
+    private readonly IDialogQueueService _dialogQueue;
+    private static readonly ResourceLoader Res = new();
     private readonly Dictionary<string, SessionInfo> _sessions = new();
     private readonly Lock _sessionsLock = new();
 
+    // SEC-03 user-consent cache: clientIds for which the user chose "remember for this session".
+    // Cleared on vault lock (OnVaultLocked) so consent never outlives an unlock session.
+    private readonly HashSet<string> _consentRemembered = new(StringComparer.Ordinal);
+    private readonly Lock _consentLock = new();
+
     private readonly Lock _unlockLock = new();
     private int _unlockFailedCount;
     private DateTime _unlockLockoutUntil = DateTime.MinValue;
@@ -70,10 +80,15 @@ internal sealed class BrowserIpcService : IBrowserIpcService
     /// </summary>
     /// <param name="vaultState">Vault state service for credential lookups and unlock operations.</param>
     /// <param name="crypto">Crypto service for AES-GCM encryption of password responses.</param>
-    public BrowserIpcService(IVaultStateService vaultState, ICryptoService crypto)
+    /// <param name="dialogQueue">Serial dialog pump used to show the SEC-03 user-consent prompt.</param>
+    public BrowserIpcService(IVaultStateService vaultState, ICryptoService crypto, IDialogQueueService dialogQueue)
     {
         _vaultState = vaultState;
         _crypto = crypto;
+        _dialogQueue = dialogQueue;
+
+        // SEC-03 + hardening: drop remembered consent AND all ECDH sessions when the vault locks.
+        _vaultState.VaultLocked += OnVaultLocked;
     }
 
     /// <summary>
@@ -227,30 +242,25 @@ internal async Task<string> ProcessMessageAsync(string requestJson)
         {
             IpcResponse response;
 
-            if (request.Action == "unlock-vault")
+            // Actions that may await a UI consent prompt (SEC-03) or the KDF (unlock) run async.
+            response = request.Action switch
             {
-                response = await HandleUnlockVaultAsync(request);
-            }
-            else
-            {
-                response = request.Action switch
+                "unlock-vault"            => await HandleUnlockVaultAsync(request),
+                "get-credential-password" => await HandleGetCredentialPasswordAsync(request),
+                "get-all-credentials"     => HandleGetAllCredentials(request),
+                "exchange-keys"           => HandleExchangeKeys(request),
+                "test-session"            => HandleTestSession(request),
+                "get-status"              => HandleGetStatus(request),
+                "get-credentials"         => HandleGetCredentials(request),
+                "show-window"             => HandleShowWindow(request),
+                _ => new IpcResponse
                 {
-                    "exchange-keys"          => HandleExchangeKeys(request),
-                    "test-session"           => HandleTestSession(request),
-                    "get-status"             => HandleGetStatus(request),
-                    "get-credentials"        => HandleGetCredentials(request),
-                    "get-credential-password"=> HandleGetCredentialPassword(request),
-                    "get-all-credentials"    => HandleGetAllCredentials(request),
-                    "show-window"            => HandleShowWindow(request),
-                    _ => new IpcResponse
-                    {
-                        Action = request.Action,
-                        RequestId = request.RequestId,
-                        Success = false,
-                        Error = "unknown-action"
-                    }
-                };
-            }
+                    Action = request.Action,
+                    RequestId = request.RequestId,
+                    Success = false,
+                    Error = "unknown-action"
+                }
+            };
 
             return SerializeResponse(response);
         }
@@ -325,7 +335,8 @@ private IpcResponse HandleExchangeKeys(IpcRequest request)
             var session = new SessionInfo
             {
                 SessionId = sessionId,
-                SessionKey = sessionKey
+                SessionKey = sessionKey,
+                ClientId = request.ClientId
             };
 
             lock (_sessionsLock)
@@ -484,7 +495,7 @@ private IpcResponse HandleGetCredentials(IpcRequest request)
     /// the password is returned Base64-encoded in plaintext (less secure fallback).
     /// Requires the vault to be unlocked.
     /// </summary>
-    private IpcResponse HandleGetCredentialPassword(IpcRequest request)
+    private async Task<IpcResponse> HandleGetCredentialPasswordAsync(IpcRequest request)
     {
         if (!_vaultState.IsUnlocked)
         {
@@ -516,17 +527,18 @@ private IpcResponse HandleGetCredentialPassword(IpcRequest request)
             };
         }
 
-        // Require a valid ECDH session BOUND to this request (by session ID). The password is
-        // always AES-GCM encrypted with that session's key — there is no plaintext fallback.
-        // A caller that hasn't completed exchange-keys (or whose session expired) is rejected,
-        // so the encrypted channel can never be bypassed by simply omitting the handshake.
+        // Require a valid ECDH session BOUND to this request — by session ID (SEC-01) AND by the
+        // exact ClientId that performed the handshake (SEC-02). The password is always AES-GCM
+        // encrypted with that session's key: there is no plaintext fallback, and a session
+        // established by one client cannot be reused by another even if its ID leaks.
         SessionInfo? session = null;
-        if (!string.IsNullOrEmpty(payload.SessionId))
+        if (!string.IsNullOrEmpty(payload.SessionId) && !string.IsNullOrEmpty(request.ClientId))
         {
             lock (_sessionsLock)
             {
                 if (_sessions.TryGetValue(payload.SessionId, out var s)
-                    && DateTime.UtcNow - s.CreatedAt < SessionTimeout)
+                    && DateTime.UtcNow - s.CreatedAt < SessionTimeout
+                    && string.Equals(s.ClientId, request.ClientId, StringComparison.Ordinal))
                 {
                     session = s;
                 }
@@ -540,7 +552,7 @@ private IpcResponse HandleGetCredentialPassword(IpcRequest request)
                 Action = request.Action,
                 RequestId = request.RequestId,
                 Success = false,
-                Error = "no-session"
+                Error = "ecdh-session-required"
             };
         }
 
@@ -556,6 +568,19 @@ private IpcResponse HandleGetCredentialPassword(IpcRequest request)
             };
         }
 
+        // SEC-03: explicit user consent before releasing a password (unless remembered this session).
+        var consentBody = string.Format(Res.GetString("IpcConsentBodyPassword"), entry.Title);
+        if (!await EnsureConsentAsync(request.ClientId, consentBody))
+        {
+            return new IpcResponse
+            {
+                Action = request.Action,
+                RequestId = request.RequestId,
+                Success = false,
+                Error = "consent-denied"
+            };
+        }
+
         var passwordBytes = Encoding.UTF8.GetBytes(entry.Password);
         var encryptedBlob = _crypto.Encrypt(passwordBytes, session.SessionKey);
         CryptographicOperations.ZeroMemory(passwordBytes);
@@ -651,9 +676,10 @@ private async Task<IpcResponse> HandleUnlockVaultAsync(IpcRequest request)
     }
 
     /// <summary>
-    /// Handles the <c>get-all-credentials</c> action: returns credential summaries for every
-    /// password entry in the vault, sorted alphabetically by title (case-insensitive).
-    /// Requires the vault to be unlocked.
+    /// Handles the <c>get-all-credentials</c> action: returns credential summaries (title +
+    /// username, NO passwords) for every entry, sorted alphabetically by title. Requires the vault
+    /// to be unlocked. No consent prompt here: this is metadata shown in the popup the user opened;
+    /// the SEC-03 consent gate applies only to <c>get-credential-password</c> (where a secret leaves).
     /// </summary>
     private IpcResponse HandleGetAllCredentials(IpcRequest request)
     {
@@ -811,14 +837,131 @@ private void PruneExpiredSessionsNoLock()
         }
     }
 
+    // ═══════════════════════════════════════════════════════════════
+    // SEC-03 — User consent
+    // ═══════════════════════════════════════════════════════════════
+
     /// <summary>
-    /// Cancels the server loop and zeros all active session keys before releasing resources.
+    /// Clears remembered consent and zeroes/removes every ECDH session when the vault locks,
+    /// so neither consent nor session keys outlive an unlock session.
+    /// </summary>
+    private void OnVaultLocked()
+    {
+        lock (_consentLock)
+        {
+            _consentRemembered.Clear();
+        }
+        lock (_sessionsLock)
+        {
+            foreach (var session in _sessions.Values)
+                CryptographicOperations.ZeroMemory(session.SessionKey);
+            _sessions.Clear();
+        }
+    }
+
+    /// <summary>
+    /// Returns true if the caller may receive sensitive data: either the <paramref name="clientId"/>
+    /// was already granted "remember for this session", or the user approves the consent prompt now.
+    /// A null/empty clientId always prompts and is never remembered.
+    /// </summary>
+    private async Task<bool> EnsureConsentAsync(string? clientId, string body)
+    {
+        var key = clientId ?? string.Empty;
+        if (key.Length > 0)
+        {
+            lock (_consentLock)
+            {
+                if (_consentRemembered.Contains(key)) return true;
+            }
+        }
+
+        var (granted, remember) = await RequestConsentAsync(body);
+        if (granted && remember && key.Length > 0)
+        {
+            lock (_consentLock)
+            {
+                _consentRemembered.Add(key);
+            }
+        }
+        return granted;
+    }
+
+    /// <summary>
+    /// Shows the SEC-03 consent <see cref="ContentDialog"/> (with a "remember for this session"
+    /// checkbox) on the UI thread and awaits the user's choice. Fails secure (denies) when no UI
+    /// is available. The default button is "Deny".
+    /// </summary>
+    private async Task<(bool granted, bool remember)> RequestConsentAsync(string body)
+    {
+        var dispatcher = App.MainWindow?.DispatcherQueue;
+        if (dispatcher is null) return (false, false); // fail-secure: cannot ask the user
+
+        var tcs = new TaskCompletionSource<(bool granted, bool remember)>();
+
+        var enqueued = dispatcher.TryEnqueue(() =>
+        {
+            try
+            {
+                // Capture the checkbox state via its events (which fire on the UI thread) into a
+                // plain bool. CRITICAL: never read a UI element (rememberBox.IsChecked) from the
+                // ContinueWith below — that runs on a thread-pool thread and accessing a WinUI
+                // object off the UI thread throws RPC_E_WRONG_THREAD, which would leave `tcs`
+                // never completed and DEADLOCK the IPC server awaiting the consent result.
+                var remember = false;
+                var rememberBox = new CheckBox { Content = Res.GetString("IpcConsentRemember") };
+                rememberBox.Checked   += (_, _) => remember = true;
+                rememberBox.Unchecked += (_, _) => remember = false;
+
+                var panel = new StackPanel { Spacing = 12 };
+                panel.Children.Add(new TextBlock { Text = body, TextWrapping = TextWrapping.WrapWholeWords });
+                panel.Children.Add(rememberBox);
+
+                _ = _dialogQueue.EnqueueAndWait(() =>
+                {
+                    var dialog = new ContentDialog
+                    {
+                        Title = Res.GetString("IpcConsentTitle"),
+                        Content = panel,
+                        PrimaryButtonText = Res.GetString("IpcConsentAllow"),
+                        CloseButtonText = Res.GetString("IpcConsentDeny"),
+                        DefaultButton = ContentDialogButton.Close, // default = Deny (fail-safe)
+                        XamlRoot = _dialogQueue.XamlRootAccessor?.Invoke(),
+                    };
+                    return dialog.ShowAsync().AsTask();
+                }).ContinueWith(t =>
+                {
+                    // Reads only plain values (dialog result enum + captured bool) → thread-safe.
+                    var granted = t.Status == TaskStatus.RanToCompletion && t.Result == ContentDialogResult.Primary;
+                    tcs.TrySetResult((granted, granted && remember));
+                }, TaskScheduler.Default);
+            }
+            catch (Exception ex)
+            {
+                System.Diagnostics.Debug.WriteLine($"[BrowserIpcService] consent dialog failed: {ex.Message}");
+                tcs.TrySetResult((false, false));
+            }
+        });
+
+        if (!enqueued) return (false, false); // fail-secure
+        return await tcs.Task;
+    }
+
+    /// <summary>
+    /// Cancels the server loop, unsubscribes from vault events, and zeros all active session keys
+    /// before releasing resources.
     /// </summary>
     public void Dispose()
     {
+        _vaultState.VaultLocked -= OnVaultLocked;
+
         _cts?.Cancel();
         _cts?.Dispose();
 
+        lock (_consentLock)
+        {
+            _consentRemembered.Clear();
+        }
+
         // Zero all session keys
         lock (_sessionsLock)
         {
diff --git a/src/PassKey.Desktop/Services/IpcModels.cs b/src/PassKey.Desktop/Services/IpcModels.cs
index f0ae838..f04c37c 100644
--- a/src/PassKey.Desktop/Services/IpcModels.cs
+++ b/src/PassKey.Desktop/Services/IpcModels.cs
@@ -133,6 +133,13 @@ internal sealed class SessionInfo
     /// <summary>Gets the 256-bit AES-GCM session key derived via ECDH + HKDF-SHA256.</summary>
     public required byte[] SessionKey { get; init; }
 
+    /// <summary>
+    /// Gets the client identifier (<c>chrome.runtime.id</c>) that performed this handshake.
+    /// Sensitive requests must present a matching <c>ClientId</c> (SEC-02): a session established
+    /// by one client cannot be reused by another, even if the session ID leaks.
+    /// </summary>
+    public string? ClientId { get; init; }
+
     /// <summary>Gets the UTC timestamp when this session was established.</summary>
     public DateTime CreatedAt { get; init; } = DateTime.UtcNow;
 }
diff --git a/src/PassKey.Desktop/Strings/de-DE/Resources.resw b/src/PassKey.Desktop/Strings/de-DE/Resources.resw
index 39d13e7..8d0a4e6 100644
--- a/src/PassKey.Desktop/Strings/de-DE/Resources.resw
+++ b/src/PassKey.Desktop/Strings/de-DE/Resources.resw
@@ -2475,4 +2475,22 @@ Moechten Sie diese Pruefung aktivieren?</value>
   <data name="CardPinBox.PlaceholderText" xml:space="preserve">
     <value>PIN</value>
   </data>
+  <data name="IpcConsentTitle" xml:space="preserve">
+    <value>Browser-Anfrage</value>
+  </data>
+  <data name="IpcConsentBodyPassword" xml:space="preserve">
+    <value>Eine Browser-Erweiterung hat das Passwort für „{0}“ angefordert. Möchten Sie den Zugriff zulassen?</value>
+  </data>
+  <data name="IpcConsentBodyAll" xml:space="preserve">
+    <value>Eine Browser-Erweiterung hat die Liste aller Ihrer Zugangsdaten angefordert. Möchten Sie den Zugriff zulassen?</value>
+  </data>
+  <data name="IpcConsentRemember" xml:space="preserve">
+    <value>Für diese Sitzung merken (bis der Tresor gesperrt wird)</value>
+  </data>
+  <data name="IpcConsentAllow" xml:space="preserve">
+    <value>Zulassen</value>
+  </data>
+  <data name="IpcConsentDeny" xml:space="preserve">
+    <value>Ablehnen</value>
+  </data>
 </root>
diff --git a/src/PassKey.Desktop/Strings/en-GB/Resources.resw b/src/PassKey.Desktop/Strings/en-GB/Resources.resw
index 058befb..367da5f 100644
--- a/src/PassKey.Desktop/Strings/en-GB/Resources.resw
+++ b/src/PassKey.Desktop/Strings/en-GB/Resources.resw
@@ -2465,4 +2465,22 @@ Do you want to enable this check?</value>
   <data name="CardPinBox.PlaceholderText" xml:space="preserve">
     <value>PIN</value>
   </data>
+  <data name="IpcConsentTitle" xml:space="preserve">
+    <value>Browser request</value>
+  </data>
+  <data name="IpcConsentBodyPassword" xml:space="preserve">
+    <value>A browser extension has requested the password for “{0}”. Do you want to allow access?</value>
+  </data>
+  <data name="IpcConsentBodyAll" xml:space="preserve">
+    <value>A browser extension has requested the list of all your credentials. Do you want to allow access?</value>
+  </data>
+  <data name="IpcConsentRemember" xml:space="preserve">
+    <value>Remember for this session (until the vault is locked)</value>
+  </data>
+  <data name="IpcConsentAllow" xml:space="preserve">
+    <value>Allow</value>
+  </data>
+  <data name="IpcConsentDeny" xml:space="preserve">
+    <value>Deny</value>
+  </data>
 </root>
diff --git a/src/PassKey.Desktop/Strings/es-ES/Resources.resw b/src/PassKey.Desktop/Strings/es-ES/Resources.resw
index 07a48ce..73f0435 100644
--- a/src/PassKey.Desktop/Strings/es-ES/Resources.resw
+++ b/src/PassKey.Desktop/Strings/es-ES/Resources.resw
@@ -2478,4 +2478,22 @@ Deseas activar esta verificacion?</value>
   <data name="CardPinBox.PlaceholderText" xml:space="preserve">
     <value>PIN</value>
   </data>
+  <data name="IpcConsentTitle" xml:space="preserve">
+    <value>Solicitud del navegador</value>
+  </data>
+  <data name="IpcConsentBodyPassword" xml:space="preserve">
+    <value>Una extensión del navegador ha solicitado la contraseña de «{0}». ¿Quieres permitir el acceso?</value>
+  </data>
+  <data name="IpcConsentBodyAll" xml:space="preserve">
+    <value>Una extensión del navegador ha solicitado la lista de todas tus credenciales. ¿Quieres permitir el acceso?</value>
+  </data>
+  <data name="IpcConsentRemember" xml:space="preserve">
+    <value>Recordar durante esta sesión (hasta que se bloquee el cofre)</value>
+  </data>
+  <data name="IpcConsentAllow" xml:space="preserve">
+    <value>Permitir</value>
+  </data>
+  <data name="IpcConsentDeny" xml:space="preserve">
+    <value>Denegar</value>
+  </data>
 </root>
diff --git a/src/PassKey.Desktop/Strings/fr-FR/Resources.resw b/src/PassKey.Desktop/Strings/fr-FR/Resources.resw
index 482de8d..78ef0f6 100644
--- a/src/PassKey.Desktop/Strings/fr-FR/Resources.resw
+++ b/src/PassKey.Desktop/Strings/fr-FR/Resources.resw
@@ -2477,4 +2477,22 @@ Voulez-vous activer cette verification ?</value>
   <data name="CardPinBox.PlaceholderText" xml:space="preserve">
     <value>PIN</value>
   </data>
+  <data name="IpcConsentTitle" xml:space="preserve">
+    <value>Demande du navigateur</value>
+  </data>
+  <data name="IpcConsentBodyPassword" xml:space="preserve">
+    <value>Une extension de navigateur a demandé le mot de passe de « {0} ». Voulez-vous autoriser l'accès ?</value>
+  </data>
+  <data name="IpcConsentBodyAll" xml:space="preserve">
+    <value>Une extension de navigateur a demandé la liste de tous vos identifiants. Voulez-vous autoriser l'accès ?</value>
+  </data>
+  <data name="IpcConsentRemember" xml:space="preserve">
+    <value>Mémoriser pour cette session (jusqu'au verrouillage du coffre)</value>
+  </data>
+  <data name="IpcConsentAllow" xml:space="preserve">
+    <value>Autoriser</value>
+  </data>
+  <data name="IpcConsentDeny" xml:space="preserve">
+    <value>Refuser</value>
+  </data>
 </root>
diff --git a/src/PassKey.Desktop/Strings/it-IT/Resources.resw b/src/PassKey.Desktop/Strings/it-IT/Resources.resw
index 7ebe004..73f5524 100644
--- a/src/PassKey.Desktop/Strings/it-IT/Resources.resw
+++ b/src/PassKey.Desktop/Strings/it-IT/Resources.resw
@@ -2478,4 +2478,22 @@ Vuoi attivare questa verifica?</value>
   <data name="CardPinBox.PlaceholderText" xml:space="preserve">
     <value>PIN</value>
   </data>
+  <data name="IpcConsentTitle" xml:space="preserve">
+    <value>Richiesta dal browser</value>
+  </data>
+  <data name="IpcConsentBodyPassword" xml:space="preserve">
+    <value>Un'estensione del browser ha richiesto la password di «{0}». Vuoi consentire l'accesso?</value>
+  </data>
+  <data name="IpcConsentBodyAll" xml:space="preserve">
+    <value>Un'estensione del browser ha richiesto l'elenco di tutte le tue credenziali. Vuoi consentire l'accesso?</value>
+  </data>
+  <data name="IpcConsentRemember" xml:space="preserve">
+    <value>Ricorda per questa sessione (fino al blocco del vault)</value>
+  </data>
+  <data name="IpcConsentAllow" xml:space="preserve">
+    <value>Consenti</value>
+  </data>
+  <data name="IpcConsentDeny" xml:space="preserve">
+    <value>Nega</value>
+  </data>
 </root>
diff --git a/src/PassKey.Desktop/Strings/pt-PT/Resources.resw b/src/PassKey.Desktop/Strings/pt-PT/Resources.resw
index df76b07..8c1ddea 100644
--- a/src/PassKey.Desktop/Strings/pt-PT/Resources.resw
+++ b/src/PassKey.Desktop/Strings/pt-PT/Resources.resw
@@ -2475,4 +2475,22 @@ Deseja ativar esta verificacao?</value>
   <data name="CardPinBox.PlaceholderText" xml:space="preserve">
     <value>PIN</value>
   </data>
+  <data name="IpcConsentTitle" xml:space="preserve">
+    <value>Pedido do navegador</value>
+  </data>
+  <data name="IpcConsentBodyPassword" xml:space="preserve">
+    <value>Uma extensão do navegador solicitou a palavra-passe de «{0}». Pretende permitir o acesso?</value>
+  </data>
+  <data name="IpcConsentBodyAll" xml:space="preserve">
+    <value>Uma extensão do navegador solicitou a lista de todas as suas credenciais. Pretende permitir o acesso?</value>
+  </data>
+  <data name="IpcConsentRemember" xml:space="preserve">
+    <value>Memorizar nesta sessão (até o cofre ser bloqueado)</value>
+  </data>
+  <data name="IpcConsentAllow" xml:space="preserve">
+    <value>Permitir</value>
+  </data>
+  <data name="IpcConsentDeny" xml:space="preserve">
+    <value>Recusar</value>
+  </data>
 </root>