diff --git a/TODO.md b/TODO.md
index 78a2ace..97c7f32 100644
--- a/TODO.md
+++ b/TODO.md
@@ -793,4 +793,25 @@ After phase 1 the codebase will have 3 fresh examples of "ping the LAN, listen f
 - [x] **Pre-merge verification pass.** 1358 pytest tests pass; ruff
       clean across all device modules and tests; black clean against
       the pre-commit-pinned 24.10.0; `npx tsc --noEmit` clean; bundle
-      compiles. No issues surfaced — branch is in shape to merge.
+      compiles.
+- [x] **Pre-merge code review (subagent)** — surfaced 2 CRITICAL +
+      4 HIGH + 3 MEDIUM + 3 LOW findings.
+- [x] **All review findings fixed** (commits `7736bc6` + `0e3ae78`):
+      - CRITICAL #1: missing `url_scheme.py` / `net_classify.py`
+        committed (4 files / 557 lines).
+      - CRITICAL #2: `update_device` no longer re-encrypts secrets in
+        memory via the `to_dict()` round-trip (uses `vars()` directly).
+      - HIGH #3: `nanoleaf_token` / `hue_username` / `hue_client_key`
+        stripped from `DeviceResponse`; replaced with paired-flag
+        booleans. Frontend updated.
+      - HIGH #4: `validate_lan_host()` rejects literal public IPs at
+        each driver's `validate_device` + `pair_device`.
+      - HIGH #5: `_dec()` failures clear the field and log, not crash
+        the row.
+      - HIGH #6: update route now rstrip's URL for all device types.
+      - MEDIUM #7: Govee discovery serialized via `asyncio.Lock`.
+      - MEDIUM #8: Nanoleaf mDNS browser cleanup moved to `finally`.
+      - MEDIUM #9: pair endpoint sanitizes URL userinfo in logs.
+      - LOW: Nanoleaf `.port` property added; pair-then-create E2E test
+        added.
+      - Tests: 1379 pass (+21 regression tests).