Delivered: 4 of 4 v1 backend requirements verified end-to-end against
rtm.thinx.cloud production deploy, plus services/console submodule
synced to its own v1.999 (sibling-project parallel-tag).

Key accomplishments (v1.0 milestone, this parent project):
- AUTH-API-01 — Restored unauthenticated POST /api/v2/password/reset 200
  response (Bearer-null guard + no-enumeration body normalization); Vue
  console Forgot-password round-trip verified
- SEC-PII-01 — Eliminated raw PII/credentials from lib/thinx/owner.js
  logs at 12+1 sites (Util.redactEmail / Util.redactToken); CouchDB
  audit-log writes redacted
- OPS-01 — Restored swarm-side autoredeploy on 188.166.23.244 (Rung 1
  force-restart of swarmpit_app); push-observe SLA 63s vs 300s target;
  runbook persisted at .planning/runbooks/swarm.md
- SEC-DEP-01 — Triaged 29 Dependabot alerts (7 blocker / 22 deferred);
  4 surgical package.json overrides edits in commit d8e3176c; runtime-
  tree npm audit high 9 to 0; merged to master + main

Cross-project: services/console submodule pointer bumped from 1a467f14
to 1264bd60 (= the console v1.999 tag commit).

Audit status: tech_debt (no blockers; intentionally-deferred v1.x
backlog + 1 process-debt artifact gap on phases 1-3 VERIFICATION.md).

See .planning/MILESTONES.md and .planning/milestones/v1.0-* for full
v1.0 details.