| WS1 | Notifications subsystem + triggerstask, RSVP, chat mentions, schedule | done |
| WS2 | Payments: Qi + Stripe + plan enforcementidempotent webhooks, 402 caps | done |
| WS3 | Security hardeningrate-limit, headers, JWT, OTP, file signing | done |
| WS4 | Reports engine (One-Line/DOOD/breakdown)CSV + PDF | done |
| WS4 | StudioBinder parity: sides, mood boards, file reviewshare tokens, approvals | done |
| WS4 | Call-sheet delivery + per-recipient trackingverified live on prod | done |
| WS5 | Frontend integration of all new backend featuresmerged to main | done |
| WS5 | i18n: 143 in-code strings translated to AR/SVV4; not native-reviewed | done |
| WS-sheet | Budget: member-salary integration+ M3 fixes in V4 | done |
| WS-sheet | Market backend (catalog + submissions)dead submit endpoint wired | done |
| WS8 | Admin dashboard app (deployed)cinefolio-admin.pages.dev | done |
| WS6 | Status page + 12h auto-updatesthis page + launchd | done |
| WS7 | Tenant-isolation IDOR audit + fixesC1/H1/M1 closed | done |
| WS7 | Opus 4.8 audit + fixescritical billing bypass fixed | done |
| WS7 | Fable 5 production-readiness finaleREADY WITH CAVEATS | done |
| Scale | Multi-worker safety (H6/H7/OTP)request cache, revision guard, OTP in DB | done |
| PR | All batches merged to mainBE #23, FE #12 (V4) | done |
| Launch | Ops config (TRUSTED_PROXY_HOPS, storage)LAUNCH_CHECKLIST.md — your side | blocked |
| Scale | Shared (Redis) rate limiterper-worker today: looser, not incorrect | planned |
| CRIT | Billing webhook bypass (forged/unsigned) | fixed |
| C1 | Hardcoded OTP '123456' auth bypass | fixed |
| H1 | Unauthenticated file serving | fixed |
| HIGH | Rate-limiter XFF spoof + memory DoS | fixed |
| HIGH | CSV/formula injection in reports | fixed |
| B3 | Plan limits not enforced | fixed |
| M1 | Shot-reorder missing role check | fixed |
| M3 | Budget: lost actuals + unconverted salaries | fixed |
| — | Weak JWT secret / headers / OTP | fixed |
| B4 | Plain-HTTP origin + cookie flags (TLS) | fixed |