P1: One long-lived SQLAlchemy session is shared across Textual workers and the 3-second poller, creating concurrency and stale-state risk. P1: Missing session rows or stale harness rows can crash service methods instead of returning user-facing errors. P1: Database setup uses `Base.metadata.create_all` only, so existing user databases will not be migrated when schema changes. P2: Codex session-id capture is heuristic and can store the wrong rollout if another Codex session starts in the same project during the retry window. P2: tmux behavior is mostly tested with mocks; add isolated real-tmux smoke tests for theming, new windows, respawn, and labels. P2: Project paths are accepted without existence validation, so bad paths become dead sessions later instead of being rejected early.