docs: audit and archive completed Journals and Badges projects

documentation/TODO__Agents.md

@@ -72,6 +72,16 @@ wrong to users.
 - [x] **[Badges] Epson C3500 fanfold badge layout** — `badge_4x6_fanfold` layout CSS created,
   wired, and documented. First live use: Axonius Adapt DC, June 9, 2026. (2026-05-15)
 
+### Badges follow-ups
+
+- [ ] **[Badges] Implement review-link email delivery** — current Email Link actions only show
+  placeholder alerts. Send to `event_badge.email`, never the attendee-editable `email_override`.
+- [ ] **[Badges] Unify review and kiosk edit permissions** — remote review reads
+  `event.mod_badges_json.edit_permissions`; print controls read template `cfg_json.controls_cfg`.
+  Define precedence or consolidate them so both flows enforce one documented policy.
+- [ ] **[Badges] Use template badge types in search filter** — replace the hardcoded badge-type
+  list in `ae_comp__badge_search.svelte` with the active template's `badge_type_list`.
+
 ---
 
 ## 🚧 V3 CRUD Migration (Surgical Cleanup)
@@ -85,6 +95,19 @@ Finalizing the 100% adoption of V3 Standard endpoints and retirement of legacy w
 
 ## 🚧 High Priority Workstreams
 
+### [Security] Site Passcode JWT Migration
+
+- [ ] **[Security] Verify `/authenticate_passcode` deployment** — confirm explicit role priority,
+  complete role flags, `auth_type: 'passcode'`, per-role TTLs, and minimum length validation.
+- [ ] **[Security] Replace local passcode comparison** — migrate
+  `e_app_access_type.svelte` to server verification, JWT storage, and pending/error UI.
+- [ ] **[Security] Remove client-side passcode delivery/storage** — stop caching
+  `access_code_kv_json`, remove `site_access_code_kv` from auth state, and remove passcode logging.
+- [ ] **[Security] Enforce passcode JWT expiry on restore** — expired passcode sessions must
+  return to anonymous without affecting user-login JWT handling.
+
+Reference: `documentation/PROJECT__AE_Site_Passcode_Security.md`.
+
 ### [Stores] Svelte 4 → Svelte 5 State Migration
 The app uses `svelte-persisted-store` (coarse reactivity). Migration target: replace with Svelte 5
 `PersistedState` (from `runed`) for fine-grained updates. See `PROJECT__Stores_Svelte5_Migration.md`.
@@ -120,6 +143,15 @@ uses `build_tmp_sort` (overrides generic encoding in its `specific_processor`).
 
 ### [Journals] Journal Entry Config follow-ups
 - [ ] **[Journals] Entry passcode secondary auth** — implement `passcode_hash` comparison.
+- [ ] **[Journals] Quick Add/import encryption behavior** — both creation paths currently
+  create plaintext entries; define the intended privacy UX and add encryption support before
+  claiming that these paths honor entry E2EE.
+- [ ] **[Journals] Remove decrypted-content console preview** —
+  `ae_journals_decryption.ts` logs the first 30 plaintext characters after successful decryption.
+  Never log private journal content.
+- [ ] **[Journals] Confirm outbound email-sharing requirement** — the archived UI project listed
+  this as unfinished, but no implementation exists. Confirm product/security requirements before
+  creating an email workflow for private journal content.
 
 ---