diff --git a/documentation/PROJECT__AE_Site_Passcode_Security.md b/documentation/PROJECT__AE_Site_Passcode_Security.md
index 0bfddc8f..b6dea669 100644
--- a/documentation/PROJECT__AE_Site_Passcode_Security.md
+++ b/documentation/PROJECT__AE_Site_Passcode_Security.md
@@ -81,6 +81,10 @@ This gives session expiry without a network call on every page load.
 
 ## Backend Changes Required
 
+**Note:** The backend fixes described below have been implemented and tested in the `aether_api_fastapi` repository (the `/authenticate_passcode` endpoint now uses explicit role priority, returns a full passcode JWT with `auth_type: 'passcode'`, applies per-role TTLs, and validates passcode length). Frontend changes can proceed once the backend deployment with these fixes is available.
+
+**Phase 2 status:** Not started — removing `access_code_kv_json` from the public site model remains pending.
+
 **File:** `aether_api_fastapi/app/routers/api.py`
 
 The `/authenticate_passcode` endpoint exists and is structurally correct but has four issues that must be fixed before the frontend migrates to using it.