diff --git a/CHANGELOG.md b/CHANGELOG.md
index bcd9a1f..82d1298 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## [Unreleased]
+
+### What's Changed
+
+* fix: prevent fuzz-found panics on multi-byte input ([#513](https://github.com/everruns/bashkit/pull/513))
+
 ## [0.1.9] - 2026-03-04
 
 ### Highlights
diff --git a/README.md b/README.md
index 29ee094..c75eb61 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,7 @@ Virtual bash interpreter for multi-tenant environments. Written in Rust.
 - **Virtual filesystem** - InMemoryFs, OverlayFs, MountableFs
 - **Resource limits** - Command count, loop iterations, function depth
 - **Network allowlist** - Control HTTP access per-domain
+- **Custom builtins** - Extend with domain-specific commands
 - **Async-first** - Built on tokio
 - **Experimental: Git support** - Virtual git operations on the virtual filesystem (`git` feature)
 - **Experimental: Python support** - Embedded Python interpreter via [Monty](https://github.com/pydantic/monty) (`python` feature)
@@ -88,7 +89,7 @@ async fn main() -> anyhow::Result<()> {
 - Variables and parameter expansion (`$VAR`, `${VAR:-default}`, `${#VAR}`)
 - Command substitution (`$(cmd)`)
 - Arithmetic expansion (`$((1 + 2))`)
-- Pipelines and redirections (`|`, `>`, `>>`, `<`, `<<<`)
+- Pipelines and redirections (`|`, `>`, `>>`, `<`, `<<<`, `2>&1`)
 - Control flow (`if`/`elif`/`else`, `for`, `while`, `case`)
 - Functions (POSIX and bash-style)
 - Arrays (`arr=(a b c)`, `${arr[@]}`, `${#arr[@]}`)
diff --git a/crates/bashkit/docs/compatibility.md b/crates/bashkit/docs/compatibility.md
index 311d1e2..4d7589a 100644
--- a/crates/bashkit/docs/compatibility.md
+++ b/crates/bashkit/docs/compatibility.md
@@ -19,22 +19,28 @@ for detailed compliance status.
 |----------------|--------|
 | Reserved Words (16) | Full compliance |
 | Special Parameters (8) | Full compliance |
-| Special Built-ins (15) | 13/15 implemented |
+| Special Built-ins (15) | 14/15 implemented |
 | Word Expansions | Substantial compliance |
 | Redirections | Full compliance |
 | Compound Commands | Full compliance |
 
-**Security Exclusions**: `exec` and `trap` are intentionally not implemented
+**Security Exclusions**: `exec` is intentionally not implemented
 for sandbox security reasons. See the compliance spec for details.
 
 ## Quick Status
 
-| Category | Implemented | Planned | Total |
-|----------|-------------|---------|-------|
-| Shell Builtins | 85 | 0 | 85 |
-| Text Processing | 14 | 0 | 14 |
-| File Operations | 10 | 0 | 10 |
-| Network | 2 | 0 | 2 |
+| Category | Count |
+|----------|-------|
+| Core & Navigation | 12 |
+| Flow Control & Variables | 21 |
+| Shell | 7 |
+| Text Processing | 20 |
+| File Operations & Inspection | 17 |
+| Archives & Byte Tools | 6 |
+| Utilities & System | 20 |
+| Network | 2 |
+| Experimental | 3 |
+| **Total** | **~106** |
 
 ---
 
diff --git a/deny.toml b/deny.toml
index 423aab4..f5e35da 100644
--- a/deny.toml
+++ b/deny.toml
@@ -37,6 +37,9 @@ ignore = [
     # paste: transitive via bashkit-bench -> statrs -> nalgebra -> simba
     # No security impact; bench-only dependency
     "RUSTSEC-2024-0436",
+    # atomic-polyfill: transitive via monty -> postcard -> heapless
+    # Unmaintained but no security vulnerability; upstream dep we can't control
+    "RUSTSEC-2023-0089",
 ]
 
 [bans]
diff --git a/specs/009-implementation-status.md b/specs/009-implementation-status.md
index 452c108..944cb9b 100644
--- a/specs/009-implementation-status.md
+++ b/specs/009-implementation-status.md
@@ -62,7 +62,7 @@ Bashkit implements IEEE 1003.1-2024 Shell Command Language. See
 |----------|--------|-------|
 | Reserved Words | Full | All 16 reserved words supported |
 | Special Parameters | Full | All 8 POSIX parameters supported |
-| Special Built-in Utilities | Substantial | 13/15 implemented (2 excluded) |
+| Special Built-in Utilities | Substantial | 14/15 implemented (1 excluded: exec) |
 | Regular Built-in Utilities | Full | Core set implemented |
 | Quoting | Full | All quoting mechanisms supported |
 | Word Expansions | Substantial | Most expansions supported |
diff --git a/supply-chain/config.toml b/supply-chain/config.toml
index 1a74df0..b5c0ad9 100644
--- a/supply-chain/config.toml
+++ b/supply-chain/config.toml
@@ -646,6 +646,10 @@ criteria = "safe-to-deploy"
 version = "0.2.182"
 criteria = "safe-to-deploy"
 
+[[exemptions.libc]]
+version = "0.2.183"
+criteria = "safe-to-deploy"
+
 [[exemptions.libm]]
 version = "0.2.16"
 criteria = "safe-to-deploy"
@@ -894,6 +898,10 @@ criteria = "safe-to-deploy"
 version = "0.11.13"
 criteria = "safe-to-deploy"
 
+[[exemptions.quinn-proto]]
+version = "0.11.14"
+criteria = "safe-to-deploy"
+
 [[exemptions.quinn-udp]]
 version = "0.5.14"
 criteria = "safe-to-deploy"
@@ -1174,6 +1182,10 @@ criteria = "safe-to-deploy"
 version = "0.6.2"
 criteria = "safe-to-deploy"
 
+[[exemptions.socket2]]
+version = "0.6.3"
+criteria = "safe-to-deploy"
+
 [[exemptions.spin]]
 version = "0.9.8"
 criteria = "safe-to-deploy"
@@ -1738,10 +1750,26 @@ criteria = "safe-to-deploy"
 version = "0.8.40"
 criteria = "safe-to-deploy"
 
+[[exemptions.zerocopy]]
+version = "0.8.41"
+criteria = "safe-to-deploy"
+
+[[exemptions.zerocopy]]
+version = "0.8.42"
+criteria = "safe-to-deploy"
+
 [[exemptions.zerocopy-derive]]
 version = "0.8.40"
 criteria = "safe-to-deploy"
 
+[[exemptions.zerocopy-derive]]
+version = "0.8.41"
+criteria = "safe-to-deploy"
+
+[[exemptions.zerocopy-derive]]
+version = "0.8.42"
+criteria = "safe-to-deploy"
+
 [[exemptions.zerofrom]]
 version = "0.1.6"
 criteria = "safe-to-deploy"