diff --git a/.planning/REQUIREMENTS.md b/.planning/REQUIREMENTS.md
index de5595d..73f15d6 100644
--- a/.planning/REQUIREMENTS.md
+++ b/.planning/REQUIREMENTS.md
@@ -12,9 +12,9 @@
 - [x] **FMT-03**: Таблица файлов с метаданными: имя файла, original size, compressed size, encrypted size, offset, IV, HMAC
 - [x] **FMT-04**: Little-endian для всех multi-byte полей
 - [x] **FMT-05**: Спецификация формата как документ (до начала реализации)
-- [ ] **FMT-06**: XOR-обфускация заголовков с фиксированным ключом
-- [ ] **FMT-07**: Зашифрованная таблица файлов (отдельный IV)
-- [ ] **FMT-08**: Decoy padding (случайные данные между блоками)
+- [x] **FMT-06**: XOR-обфускация заголовков с фиксированным ключом
+- [x] **FMT-07**: Зашифрованная таблица файлов (отдельный IV)
+- [x] **FMT-08**: Decoy padding (случайные данные между блоками)
 
 ### Encryption (Шифрование)
 
@@ -98,9 +98,9 @@
 | FMT-03 | Phase 2 | Complete |
 | FMT-04 | Phase 2 | Complete |
 | FMT-05 | Phase 1 | Complete |
-| FMT-06 | Phase 6 | Pending |
-| FMT-07 | Phase 6 | Pending |
-| FMT-08 | Phase 6 | Pending |
+| FMT-06 | Phase 6 | Complete |
+| FMT-07 | Phase 6 | Complete |
+| FMT-08 | Phase 6 | Complete |
 | ENC-01 | Phase 2 | Complete |
 | ENC-02 | Phase 2 | Complete |
 | ENC-03 | Phase 2 | Complete |
diff --git a/.planning/STATE.md b/.planning/STATE.md
index 6174e29..945da5c 100644
--- a/.planning/STATE.md
+++ b/.planning/STATE.md
@@ -5,23 +5,23 @@
 See: .planning/PROJECT.md (updated 2026-02-24)
 
 **Core value:** Archive impossible to unpack without knowing the format -- standard tools (7z, tar, unzip, binwalk) cannot recognize or extract contents
-**Current focus:** Phase 5 complete (Shell Decoder). Ready for Phase 6.
+**Current focus:** Phase 6 in progress (Obfuscation Hardening). Plan 1 of 2 complete.
 
 ## Current Position
 
-Phase: 5 of 6 (Shell Decoder) -- COMPLETE
-Plan: 2 of 2 in current phase (all done)
-Status: Phase 5 complete -- both decoder and cross-validation tests done
-Last activity: 2026-02-25 -- Cross-validation tests for shell decoder (shell/test_decoder.sh)
+Phase: 6 of 6 (Obfuscation Hardening)
+Plan: 1 of 2 in current phase
+Status: Plan 06-01 complete -- Rust archiver obfuscation pipeline implemented
+Last activity: 2026-02-25 -- XOR headers, encrypted TOC, decoy padding in Rust archiver
 
-Progress: [████████░░] 80%
+Progress: [█████████░] 90%
 
 ## Performance Metrics
 
 **Velocity:**
-- Total plans completed: 8
-- Average duration: 3.9 min
-- Total execution time: 0.5 hours
+- Total plans completed: 9
+- Average duration: 3.8 min
+- Total execution time: 0.6 hours
 
 **By Phase:**
 
@@ -32,9 +32,10 @@ Progress: [████████░░] 80%
 | 3. Round-Trip Verification | 2/2 | 8 min | 4 min |
 | 4. Kotlin Decoder | 1/1 | 4 min | 4 min |
 | 5. Shell Decoder | 2/2 | 5 min | 2.5 min |
+| 6. Obfuscation Hardening | 1/2 | 3 min | 3 min |
 
 **Recent Trend:**
-- Last 5 plans: 3min, 5min, 4min, 3min, 2min
+- Last 5 plans: 5min, 4min, 3min, 2min, 3min
 - Trend: stable
 
 *Updated after each plan completion*
@@ -74,6 +75,10 @@ Recent decisions affecting current work:
 - Phase 5: LC_ALL=C for predictable byte handling across locales
 - Phase 5: All 6 cross-validation tests passed on first run -- decode.sh was correct as written
 - Phase 5: Used sh (not bash) to invoke decode.sh in tests for POSIX compatibility validation
+- Phase 6: Always enable all 3 obfuscation features (no --no-obfuscate flag in v1)
+- Phase 6: Decoy padding range 64-4096 bytes per file (FORMAT.md allows up to 65535)
+- Phase 6: Shared read_archive_metadata() helper for unpack/inspect de-obfuscation
+- Phase 6: Two-pass TOC serialization for correct data_offsets with encrypted TOC size
 
 ### Pending Todos
 
@@ -88,5 +93,5 @@ None yet.
 ## Session Continuity
 
 Last session: 2026-02-25
-Stopped at: Completed 05-02-PLAN.md (Shell decoder cross-validation tests; Phase 5 complete)
+Stopped at: Completed 06-01-PLAN.md (Rust obfuscation pipeline -- XOR headers, encrypted TOC, decoy padding)
 Resume file: None
diff --git a/.planning/phases/06-obfuscation-hardening/06-01-SUMMARY.md b/.planning/phases/06-obfuscation-hardening/06-01-SUMMARY.md
new file mode 100644
index 0000000..47cc112
--- /dev/null
+++ b/.planning/phases/06-obfuscation-hardening/06-01-SUMMARY.md
@@ -0,0 +1,110 @@
+---
+phase: 06-obfuscation-hardening
+plan: 01
+subsystem: crypto
+tags: [xor, aes-256-cbc, obfuscation, binary-format, padding]
+
+# Dependency graph
+requires:
+  - phase: 02-core-archiver
+    provides: pack/unpack/inspect pipeline with AES-256-CBC encryption
+  - phase: 03-round-trip-verification
+    provides: unit tests, golden vectors, integration tests
+provides:
+  - XOR header obfuscation with cyclic 8-byte key
+  - AES-256-CBC encrypted TOC with random toc_iv
+  - Decoy random padding (64-4096 bytes) between data blocks
+  - XOR bootstrapping auto-detection (plain vs obfuscated headers)
+  - Buffer-based header/TOC serialization helpers
+affects: [06-02 (Kotlin/Shell decoder updates), cross-validation tests]
+
+# Tech tracking
+tech-stack:
+  added: []
+  patterns: [xor-header-obfuscation, toc-encryption, decoy-padding, read_archive_metadata-helper]
+
+key-files:
+  created: []
+  modified:
+    - src/format.rs
+    - src/archive.rs
+
+key-decisions:
+  - "Always enable all 3 obfuscation features (no --no-obfuscate flag in v1)"
+  - "Decoy padding range 64-4096 bytes per file (FORMAT.md allows up to 65535)"
+  - "Shared read_archive_metadata() helper for unpack/inspect de-obfuscation"
+  - "Two-pass TOC serialization: first pass for size, second with correct data_offsets"
+
+patterns-established:
+  - "XOR bootstrapping: check magic first, attempt XOR de-obfuscation on mismatch"
+  - "Buffer-based serialization: write_header_to_buf() and serialize_toc() for encryption pipeline"
+  - "read_archive_metadata() as shared de-obfuscation entry point"
+
+requirements-completed: [FMT-06, FMT-07, FMT-08]
+
+# Metrics
+duration: 3min
+completed: 2026-02-25
+---
+
+# Phase 6 Plan 1: Rust Obfuscation Pipeline Summary
+
+**XOR-obfuscated headers, AES-encrypted TOC, and random decoy padding in Rust archiver with full backward-compatible decode**
+
+## Performance
+
+- **Duration:** 3 min
+- **Started:** 2026-02-24T23:16:21Z
+- **Completed:** 2026-02-24T23:20:06Z
+- **Tasks:** 2/2
+- **Files modified:** 2
+
+## Accomplishments
+- Archives are completely unrecognizable: no magic bytes, no plaintext filenames, no detectable structure
+- Flags byte is 0x0F when compression + all 3 obfuscation features are active
+- All 38 existing tests pass (25 unit + 7 golden + 6 round-trip integration) -- zero failures
+- XOR bootstrapping allows transparent detection of both plain and obfuscated headers
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Add XOR header obfuscation and TOC encryption to format.rs** - `8ac2512` (feat)
+2. **Task 2: Update pack/unpack/inspect with full obfuscation pipeline** - `b6fa51d` (feat)
+
+## Files Created/Modified
+- `src/format.rs` - Added XOR_KEY constant, xor_header_buf(), write_header_to_buf(), read_header_auto() with XOR bootstrapping, serialize_toc(), read_toc_from_buf(), parse_header_from_buf(), plus 6 new unit tests
+- `src/archive.rs` - Updated pack() with TOC encryption + decoy padding + XOR header; updated unpack()/inspect() with shared read_archive_metadata() de-obfuscation helper
+
+## Decisions Made
+- Always enable all 3 obfuscation features in pack() -- no opt-out flag in v1 (the whole point is hardening)
+- Decoy padding range 64-4096 bytes per file -- meaningful noise without significant size inflation
+- Two-pass TOC serialization approach: first serialize with placeholder offsets to determine encrypted TOC size, then re-serialize with correct data_offsets and re-encrypt (encrypted size is identical because plaintext length is unchanged)
+- Shared read_archive_metadata() function factored out for both unpack() and inspect() to avoid code duplication
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+None
+
+## User Setup Required
+None - no external service configuration required.
+
+## Next Phase Readiness
+- Rust archiver produces fully obfuscated archives; decoders will use same de-obfuscation patterns
+- Plan 06-02 should update Kotlin ArchiveDecoder.kt and Shell decode.sh to handle XOR headers, encrypted TOC, and padding_after > 0
+- Cross-validation tests should confirm byte-identical extraction across all three decoders
+
+## Self-Check: PASSED
+
+- FOUND: src/format.rs
+- FOUND: src/archive.rs
+- FOUND: 06-01-SUMMARY.md
+- FOUND: commit 8ac2512
+- FOUND: commit b6fa51d
+
+---
+*Phase: 06-obfuscation-hardening*
+*Completed: 2026-02-25*