diff --git a/TODO.md b/TODO.md
index 62473e5..99e1df0 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,27 +1,27 @@
 # Code Hardening — Senior Dev Audit Fixes
 
 ## Phase 1: Quick Wins (safety + correctness)
-- [ ] Cap API list limit at 200
-- [ ] Fix markdown XSS — add DOMPurify to sanitize marked output
-- [ ] Add missing DB indexes (deleted_at, modified_at) via v4 migration
-- [ ] Fix v2 migration error handling (swallowed ALTER TABLE errors)
-- [ ] Fix ~/.nib directory permissions (0o755 → 0o700)
+- [x] Cap API list limit at 200
+- [x] Fix markdown XSS — add DOMPurify to sanitize marked output
+- [x] Add missing DB indexes (deleted_at, modified_at) via v4 migration
+- [x] Fix v2 migration error handling (swallowed ALTER TABLE errors)
+- [x] Fix ~/.nib directory permissions (0o755 → 0o700)
 
 ## Phase 2: CI Pipeline
-- [ ] Gitea Actions workflow: test + lint on PR
+- [x] Gitea Actions workflow: test + lint on PR
 
 ## Phase 3: context.Context in Store
-- [ ] Thread context.Context through all Store methods
-- [ ] Use context in API handlers (from r.Context())
-- [ ] Use context in CLI commands (cobra context)
+- [x] Thread context.Context through all Store methods
+- [x] Use context in API handlers (from r.Context())
+- [x] Use context in CLI commands (cobra context)
 
 ## Phase 4: cmd/ Tests
-- [ ] Test add command
-- [ ] Test ls command
-- [ ] Test promote/demote commands
-- [ ] Test delete command
-- [ ] Test absorb command
+- [x] Test add command
+- [x] Test ls command
+- [x] Test promote/demote commands
+- [x] Test delete command
+- [x] Test absorb command
 
 ## Phase 5: Backup/Export
-- [ ] nib export — dump entities to JSON
-- [ ] nib backup — safe SQLite backup (handles WAL)
+- [x] nib export — dump entities to JSON
+- [x] nib backup — safe SQLite backup (handles WAL)