1 files changed, 3 insertions, 3 deletions

diff --git a/FIXES_AND_RECOMMENDATIONS.md b/FIXES_AND_RECOMMENDATIONS.md
index f0e639d..7eb15e1 100644
--- a/FIXES_AND_RECOMMENDATIONS.md
+++ b/FIXES_AND_RECOMMENDATIONS.md
@@ -41,7 +41,7 @@ This note captures all fixes and changes identified during the codebase analysis
 
 ## P2: Security Hardening
 
-- [ ] Reduce service-role usage in user-facing API handlers where not required.
+- [x] Reduce service-role usage in user-facing API handlers where not required.
   - Problem: several authenticated routes use `createSupabaseAdminClient()` when user-scoped RLS would be safer.
   - Files (examples):
     - `apps/web/app/api/v1/feeds/route.ts`
@@ -51,7 +51,7 @@ This note captures all fixes and changes identified during the codebase analysis
     - `apps/web/app/api/v1/folders/route.ts`
   - Action: prefer `createSupabaseServerClient()` + RLS for read paths; keep service role only for admin-only operations.
 
-- [ ] Harden webhook URL validation in web app paths to match worker-grade SSRF protections.
+- [x] Harden webhook URL validation in web app paths to match worker-grade SSRF protections.
   - Problem: `webhook-config` checks are hostname-string based; test webhook route performs outbound fetches.
   - Files:
     - `apps/web/app/api/webhook-config/route.ts`
@@ -60,7 +60,7 @@ This note captures all fixes and changes identified during the codebase analysis
 
 ## P2: Data/Business Logic Consistency
 
-- [ ] Keep tier limits in one source of truth and verify parity between TS constants and SQL triggers/functions.
+- [x] Keep tier limits in one source of truth and verify parity between TS constants and SQL triggers/functions.
   - Files:
     - `packages/shared/source/index.ts`
     - `supabase/schema.sql`