docs: mark resolved items (auth hardening, crash-proofing, context allow-list, Yerin tools)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/code-review-2026-06-01.md

@@ -6,6 +6,12 @@ audit pattern, clean tool registry, disciplined safe-DOM and SSRF handling. Item
 below are improvements, ordered by value. Severity ≠ urgency — most are "before
 scale / before more agents", not "broken now".
 
+> **Resolved 2026-06-02:** #1 (pool error handler), #2 (upsert-arm guard), #3
+> (`verifyToken` O(1) selector+verifier), and #7 (`context` column allow-list)
+> are **done** — see the security sweep doc + their tests. Remaining open: #4
+> (FTS index alignment — needs a prod `EXPLAIN`), #5 (dedupe bearer parsing), #6
+> (doc/code symbol drift).
+
 ## Correctness / robustness
 
 1. **`pool.js` has no error handler or statement timeout.** `lib/db/pool.js`