docs: mark resolved items (auth hardening, crash-proofing, context allow-list, Yerin tools)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/security-sweep-2026-06-01.md

@@ -21,7 +21,15 @@ length mismatch). Both auth paths now use it. Tests: `tests/auth/safe_compare.te
 
 ---
 
-## 🔧 HIGH — `verifyToken` does an O(n) bcrypt scan over every token
+## ✅ FIXED (2026-06-02) — `verifyToken` O(n) bcrypt scan
+Resolved via the selector+verifier split (migration `010_token_selector.sql`).
+New tokens are `vk_<selector>.<verifier>`: the non-secret `selector` is indexed
+and locates exactly one row (O(1)); only the `verifier` is bcrypt-hashed. Legacy
+NULL-selector tokens still verify via a fallback scan over the shrinking legacy
+set. Dropped the useless `idx_agent_tokens_hash`. Tests:
+`tests/repos/token_selector.test.js`. Original finding below.
+
+## 🔧 ~~HIGH~~ — `verifyToken` does an O(n) bcrypt scan over every token
 `lib/db/repos/agents.js::verifyToken` loads **all** non-revoked agent tokens and
 runs `bcrypt.compare` against each (cost factor 12 ≈ 250 ms/compare).
 
@@ -62,12 +70,11 @@ server's own needs) rather than the whole environment.
 
 ---
 
-## ℹ️ LOW — `context` tool returns `SELECT *` of the active entity
-`lib/ai/agent/tools/context.js` returns every column of the active row to the
-agent. For `resources` that includes `monitoring`/`metadata` JSON, which may hold
-connection hints or `vault_path` pointers. Not a secret-value leak today (the
-resolver keeps values out of the row), but project a column allow-list before
-Yerin (or any future agent) queries resource rows broadly.
+## ✅ FIXED (2026-06-02) — `context` tool `SELECT *` of the active entity
+`lib/ai/agent/tools/context.js` now projects a `SAFE_COLUMNS` allow-list for
+`resources` (scalar fields only — never the `monitoring`/`metadata` JSON blobs).
+Also added `resource` to the tool's `TABLE` map (it was previously unhandled).
+Test in `tests/ai/agent/tools/context.test.js`.
 
 ---