chore(beans): close 9 M9 audit beans shipped in PRs #453-#457

Flip beans to completed whose scope was delivered but never reflected in
status:

- types-jmk7, types-11ux (PR #453)
- crypto-r10c (PR #454)
- sync-jj8q (PR #455)
- ps-jdl9 (PR #456)
- api-l6w0, api-m3up, api-nfo1, ps-kyu9 (PR #457)

Each bean gets a Summary of Changes section pointing at the delivering PR
and the verified code landmarks.

Author: ThePrismSystem

.beans/api-l6w0--api-security-and-typing-cleanup.md

@@ -1,11 +1,11 @@
 ---
 # api-l6w0
 title: API security and typing cleanup
-status: todo
+status: completed
 type: task
 priority: low
 created_at: 2026-04-16T06:58:22Z
-updated_at: 2026-04-16T06:58:22Z
+updated_at: 2026-04-17T05:46:31Z
 parent: ps-0enb
 ---
 
@@ -19,3 +19,10 @@ Low-severity API security and typing findings from comprehensive audit.
 - [ ] [API-P-L1] webhook-dispatcher.ts:95 deliveryIds: string[] should be WebhookDeliveryId[]
 - [ ] [API-P-L2] hierarchy-service-types.ts — idPrefix, entityName, parentFieldName lack JSDoc
 - [ ] [API-P-L3] ws/handlers.ts:370-382 module-level mutable boolean for one-shot warning
+
+## Summary of Changes
+
+Completed via PR #457 (`fix(api): security, validation, and trust boundary hardening`).
+
+- Removed `systemId`/`webhookId` from webhook test delivery payload (info disclosure)
+- Cached `VERIFY_ENVELOPE_SIGNATURES` at startup; eliminated mutable one-shot flag in `ws/handlers.ts`

.beans/api-m3up--structure-entity-deletion-must-check-note-dependen.md

@@ -1,12 +1,16 @@
 ---
 # api-m3up
 title: Structure-entity deletion must check note dependencies
-status: todo
+status: completed
 type: task
 priority: normal
 created_at: 2026-03-25T20:53:27Z
-updated_at: 2026-04-16T06:49:51Z
+updated_at: 2026-04-17T05:46:33Z
 parent: ps-0enb
 ---
 
 When the structure-entity delete service is implemented, it must check for note dependencies before allowing deletion (same pattern as member.service.ts:577-592 where notes with authorEntityType='member' are counted). Without this check, deleting a structure-entity that authored notes would leave orphaned authorEntityId references in the notes table.
+
+## Summary of Changes
+
+Completed via PR #457. Added notes dependency check to `structure-entity-crud.service.ts:424` — deletion now rejects via the shared `dependents` pattern when notes reference the entity via `authorEntityType='structure_entity'`, matching the `member.service.ts` precedent.

.beans/api-nfo1--input-validation-and-trust-boundary-hardening.md

@@ -1,11 +1,11 @@
 ---
 # api-nfo1
 title: Input validation and trust boundary hardening
-status: todo
+status: completed
 type: task
 priority: low
 created_at: 2026-04-16T06:58:05Z
-updated_at: 2026-04-16T06:58:05Z
+updated_at: 2026-04-17T05:46:34Z
 parent: ps-0enb
 ---
 
@@ -23,3 +23,12 @@ Low-severity validation and trust boundary findings from comprehensive audit.
 - [ ] [API-T-L1] entity-pubsub.ts:35 JSON.parse() with no runtime validation
 - [ ] [API-S-L1] ALLOWED_ORIGINS has no wildcard/format validation
 - [ ] [EMAIL-S-L1] from and replyTo fields are caller-controlled with no validation
+
+## Summary of Changes
+
+Completed via PR #457 (`fix(api): security, validation, and trust boundary hardening`).
+
+- Entity ID format check in TagContentBodySchema
+- Reject invalid timestamps in `unixTimestampQueryParam`
+- Deduplicated relationship types; use shared branded ID validator for webhook `cryptoKeyId`
+- Validate email `from`/`replyTo` format

.beans/crypto-r10c--crypto-hardening-key-zeroing-constant-time-ops-typ.md

@@ -1,11 +1,11 @@
 ---
 # crypto-r10c
 title: "Crypto hardening: key zeroing, constant-time ops, typing"
-status: todo
+status: completed
 type: task
 priority: low
 created_at: 2026-04-16T06:58:01Z
-updated_at: 2026-04-16T06:58:01Z
+updated_at: 2026-04-17T05:46:24Z
 parent: ps-0enb
 ---
 
@@ -26,3 +26,14 @@ Low-severity crypto and rotation-worker findings from comprehensive audit.
 - [ ] [ROTWORKER-TC-L1] No test for partial success in processChunk
 - [ ] [ROTWORKER-TC-L2] No test for signal.aborted mid-loop path
 - [ ] [ROTWORKER-D-L1] All 3 retries exhaust before "failed" with no logging
+
+## Summary of Changes
+
+Completed via PR #454 (`fix(crypto): crypto hardening — constant-time ops, type guards, error base class`).
+
+- Constant-time comparison (`sodium.memcmp`) for bucket ID in grant parsing (`packages/crypto/src/key-grants.ts`)
+- `withMasterKeyFromReset` wrapper for automatic key zeroing after password reset
+- `asserts` return types on `assertBoxSecretKey`/`assertSignSecretKey`
+- Branded `keyVersion` parameter as `KeyVersion`; added `PWHASH_MEMLIMIT_SENSITIVE`
+- Added `CryptoError` base class; re-parented all 10 error classes (30 references across errors.ts/index.ts/tests)
+- Added rotation-worker tests for partial success and abort; log retry exhaustion

.beans/ps-jdl9--import-packages-security-dedup-and-testing.md

@@ -1,11 +1,11 @@
 ---
 # ps-jdl9
 title: "Import packages: security, dedup, and testing"
-status: todo
+status: completed
 type: task
 priority: low
 created_at: 2026-04-16T06:58:17Z
-updated_at: 2026-04-16T06:58:17Z
+updated_at: 2026-04-17T05:46:29Z
 parent: ps-0enb
 ---
 
@@ -22,3 +22,13 @@ Low-severity import-sp, import-pk, and import-core findings from comprehensive a
 - [ ] [IMPORTSP-TC-L1] No test for corrupted prescan state
 - [ ] [IMPORTPK-TC-L1] No adversarial test for **proto**/constructor key injection
 - [ ] [IMPORTCORE-TC-L1] No test for empty dependencyOrder
+
+## Summary of Changes
+
+Completed via PR #456 (`fix(import): security bounds, type safety, dedup, and test coverage`).
+
+- Bounded API source response size to 50 MiB before JSON parsing (`SP_API_MAX_RESPONSE_BYTES` enforced in `api-source.ts:261`)
+- Removed widening privacy cast in PK file source
+- Throw on empty `dependencyOrder` instead of "unknown" fallback
+- Extracted shared mapper result processing helper to reduce duplication
+- Added tests for corrupted prescan, proto injection, empty dependencies

.beans/ps-kyu9--performance-base64-hot-path-and-query-optimization.md

@@ -1,11 +1,11 @@
 ---
 # ps-kyu9
 title: "Performance: base64 hot path and query optimization"
-status: todo
+status: completed
 type: task
 priority: low
 created_at: 2026-04-16T06:58:45Z
-updated_at: 2026-04-16T06:58:45Z
+updated_at: 2026-04-17T05:46:35Z
 parent: ps-0enb
 ---
 
@@ -16,3 +16,10 @@ Low-severity performance findings from comprehensive audit.
 - [ ] [CLIENT-P-M1] api-client uint8ArrayToBase64 uses character-by-character string concatenation
 - [ ] [QUEUE-P-L1] dequeue with type filter inspects up to 20 jobs and moves non-matches
 - [ ] [CLIENT-TC-L1] No test covers async getToken() path (returns Promise)
+
+## Summary of Changes
+
+Completed via PR #457.
+
+- Added async `getToken` test for api-client
+- Documented BullMQ client-side type filtering rationale (queue dequeue with type filter)

.beans/sync-jj8q--sync-typing-performance-and-patterns.md

@@ -1,11 +1,11 @@
 ---
 # sync-jj8q
 title: Sync typing, performance, and patterns
-status: todo
+status: completed
 type: task
 priority: low
 created_at: 2026-04-16T06:58:42Z
-updated_at: 2026-04-16T06:58:42Z
+updated_at: 2026-04-17T05:46:26Z
 parent: ps-0enb
 ---
 
@@ -21,3 +21,14 @@ Low-severity sync findings from comprehensive audit.
 - [ ] [SYNC-P-L3] schemas.ts and schemas/ coexist — potential import confusion
 - [ ] [SYNC-TC-L1] Two setTimeout-based timing hacks in hardening tests
 - [ ] [SYNC-TC-L2] Two toBeDefined() assertions without further checks
+
+## Summary of Changes
+
+Completed via PR #455 (`fix(sync): typing, performance, and test quality improvements`).
+
+- Typed `CrdtStrategy.fieldName` as derived union instead of `string`
+- Made `failedConflictPersistence` readonly with immutable updates
+- Track `lastFetchedSeq` in on-demand loader for incremental fetching
+- Cache eviction candidate sort results with invalidation
+- Moved `SYNC_PROTOCOL_VERSION` to `sync.constants.ts`; renamed `schemas.ts` → `schema-registry.ts`
+- Replaced `setTimeout` timing hacks with vitest fake timers; strengthened assertions

.beans/types-11ux--type-system-branded-ids-constants-and-organization.md

@@ -1,11 +1,11 @@
 ---
 # types-11ux
 title: "Type system: branded IDs, constants, and organization"
-status: todo
+status: completed
 type: task
 priority: low
 created_at: 2026-04-16T06:59:06Z
-updated_at: 2026-04-16T06:59:06Z
+updated_at: 2026-04-17T05:46:21Z
 parent: ps-0enb
 ---
 
@@ -23,3 +23,13 @@ Low-severity types and data package findings from comprehensive audit.
 - [ ] [TYPES-S-L2] MS_PER_MINUTE computed but not exported
 - [ ] [DATA-P-L1] 4 older validators hand-rolled vs using shared helpers
 - [ ] [DATA-P-L2] index.ts exports raw crypto helpers as public API
+
+## Summary of Changes
+
+Completed via PR #453 (`chore(types): type system cleanup and brandId utility`).
+
+- Branded `EntityReference<T>.entityId` via `EntityTypeIdMap` (63 entity types mapped)
+- Narrowed `DecryptFn`/`EncryptFn` parameter from `Uint8Array` to `KdfMasterKey`
+- Added compile-time sync check between `IdPrefixBrandMap` and `ID_PREFIXES`
+- Split `api-constants.ts` (261 lines) into 4 focused domain files; exported `MS_PER_MINUTE`
+- Removed dead `SystemDuplicationScope` type; fixed `SystemListItem` redefinitions

.beans/types-jmk7--shared-brandidt-utility-for-drizzle-inferselect-to.md

@@ -1,12 +1,16 @@
 ---
 # types-jmk7
 title: Shared brandId<T> utility for Drizzle inferSelect to branded ID casts
-status: todo
+status: completed
 type: task
 priority: normal
 created_at: 2026-03-26T12:23:26Z
-updated_at: 2026-04-16T06:49:51Z
+updated_at: 2026-04-17T05:46:18Z
 parent: ps-0enb
 ---
 
 Extract a reusable brandId<T> helper to replace ~76 'row.id as XxxId' type assertions across 7 M5 services. Compile-time only benefit. Deferred from M5 audit (L7).
+
+## Summary of Changes
+
+Completed via PR #453. Introduced `brandId<T>()` utility at `packages/types/src/brand-utils.ts` and replaced 228 `as XxxId` casts across 65 service files. Verified: 294 `brandId` call sites across `apps/api/src/services/`.