diff --git a/Codex/API/OPEN_ITEMS.md b/Codex/API/OPEN_ITEMS.md
index 8007eca..604b012 100644
--- a/Codex/API/OPEN_ITEMS.md
+++ b/Codex/API/OPEN_ITEMS.md
@@ -4,24 +4,30 @@ Only keep unfinished API work here.
 
 ## Active
 - normalize backup response shape: define canonical success bodies for list/create/restore/delete and a stable error envelope that preserves agent details
-- simplify and harden `devProxy`: reduce repeated hosted/tunnel logic, confirm cookie/security settings for production, and keep websocket/http behavior consistent
 - service discovery migration: audit edge publish/DNS/Cloudflare/Technitium, Prometheus SD, dev IDE wildcard, and post-provision hot paths for direct host assumptions
 - provisioning validation follow-up where API behavior is involved
+- verify Portal compatibility after API JWT issuer/audience tightening, especially refresh flow and hosted IDE token flow
+- verify canonical and compatibility file routes still behave identically across list/stat/read/download/delete/put/revert/upload paths after helper extraction
 
 ## Cleanup / consolidation priorities
-- fold repeated agent-forwarding patterns and shared response shaping where behavior is already the same
 - fold repeated ownership/auth/IP-guard patterns into small concrete helpers without hiding route intent
 - split oversized route/service files by responsibility without changing route contracts
 - keep backup/restore status shaping and async-dispatch logic explicit, but remove duplicated mapping/normalization paths where possible
 - keep stream-vs-JSON forwarding rules centralized in one place and avoid route-local reimplementation
-- standardize repo-local Node version declaration with the current pinned platform version
+
+## Completed and moved out of active cleanup
+- Node/runtime pinning is no longer an open cleanup-only item; Node 24 pinning is now treated as current repo state
+- `node-fetch` removal and built-in `fetch` migration are no longer open items
+- initial file-proxy route deduplication has been completed; only compatibility verification and follow-on cleanup remain open
+- Prisma config migration is no longer an open item
+- baseline proxy cookie/log hardening is no longer an open item
 
 ## Cleanup rule
 - prefer behavior-preserving folding over broad refactors
 - merge repeated flows, not concepts
 - keep helpers small and concrete
 - reduce route-local duplication before introducing new abstractions
-- treat Node/runtime/dependency upgrades as separate validation work, not part of cleanup-only changes
+- treat security/runtime changes as contract-sensitive validation work once they affect auth, cookies, or route compatibility
 
 ## Verify before re-opening
 - hosted IDE token + hosted URL flow
@@ -30,6 +36,7 @@ Only keep unfinished API work here.
 - quota enforcement on create flow
 - restore async-start contract + status polling semantics
 - streamed file edit/revert forwarding through both canonical and compatibility routes
+- older-session re-login behavior after JWT tightening
 
 ## Not API-owned
 - agent-local backup implementation details