diff --git a/docs/BACKLOG.md b/docs/BACKLOG.md
index 29f7d058..3b83a8fe 100644
--- a/docs/BACKLOG.md
+++ b/docs/BACKLOG.md
@@ -243,15 +243,15 @@ Migrate as a focused day's work (~40 × 10-15 min), then promote `react-hooks/se
 - ✅ **Berth status pills using ad-hoc Tailwind colors** — swapped to shared `StatusPill` in Wave 9.2. **(ui/ux M1)**
 - ✅ **UserList "Active"/"Disabled" badge** — aligned to `StatusPill` in Wave 9.2; also `PortList` in Wave 9.4. **(ui/ux M2)**
 - ✅ **Drawer vs Sheet usage drift** — single offender (`client-interests-tab`) swapped to Sheet; doctrine documented in CLAUDE.md (Wave 9.1). **(ui/ux M11)**
-- **Decorative icons missing `aria-hidden`** — sweep deferred (task #69, ~100+ icons). **(ui/ux M10)**
+- ✅ **Decorative icons missing `aria-hidden`** — Wave 10.4 mechanical sweep added `aria-hidden` to 444 self-closing single-line Lucide icons across 267 .tsx files. **(ui/ux M10)**
 - ✅ **Hard-coded "border-amber-300 bg-amber-50" callouts (15+ sites)** — `<WarningCallout>` shipped in Wave 4. **(ui/ux L5)**
 - ✅ **Dashboard route `loading.tsx` coverage** — default `[portSlug]/loading.tsx` plus tailored detail-page skeletons (Wave 9.5). **(ui/ux M3)**
 
 ### Wave 5 — Performance + reliability (~2-3 days)
 
-- **Concurrency races** — concurrency-auditor flagged multi-rep edit windows + partial-unique-index insert windows. Add row-level locks (`SELECT … FOR UPDATE`) on the affected paths. **(concurrency C, H)**
-- **Postgres FTS for `search.service.ts`** — current `LIKE '%term%'` doesn't rank and slows at scale. Add `tsvector` GIN indexes; rewrite `searchClient/yacht/company/interest` against `to_tsquery()`. ~half-day migration + half-day service refactor. **(audit 36.K.1)**
-- **`useEffect → fetch → setState` data-loading** (covered by Wave 3 above).
+- ✅ **Concurrency races** — Wave 10.3 closed the CRITICAL + tractable HIGH items: `handleDocumentCompleted` concurrent-retry TOCTOU via SELECT FOR UPDATE re-check (C-1), `moveFolder` cycle-check race via per-port pg_advisory_xact_lock (H-1), `upsertInterestBerth` 23505 → ConflictError (H-3), username uniqueness 23505 → ConflictError (M-2). Wide-impact items (BullMQ jobId plumbing — C-2) remain deferred. **(concurrency C, H)**
+- ✅ **Postgres FTS for `search.service.ts`** — migration `0057_search_fts_indexes.sql` shipped in Wave 5. **(audit 36.K.1)**
+- ✅ **`useEffect → fetch → setState` data-loading** — covered by Wave 3.
 
 ### Wave 6 — Email + Documenso depth (~2-3 days)
 
@@ -268,8 +268,8 @@ Migrate as a focused day's work (~40 × 10-15 min), then promote `react-hooks/se
 - ✅ **PDF + brand asset correctness** (pdf-auditor) — Wave 9.6: wrong-port brand fallback (`'Port Nimara'` → `(port)`/throw), AcroForm field-drift warnings, EOI form flatten, PDF metadata, sha256 pinning of `assets/eoi-template.pdf`, berth-range warning noise. Items C-2/C-3 (tiptap-to-pdfme bugs) were eliminated by the 2026-05-12 PDF stack overhaul.
 - ✅ **Customer-facing copy + terminology** (copy-auditor) — Wave 9.7: centralized `lib/labels/document-status.ts` (C3), portal `leadCategory` chip removed (C2), `Save Changes` → `Save changes` + `Saving...` → `Saving…` codemod (H1, M3), envelope → signing request (M1), `Linked prospect` → `Linked interest`, `Deal Documents` → `Interest Documents`, `Hot Lead` → `Hot lead` (M5).
 - ✅ **Onboarding + first-run UX** (onboarding-auditor) — Wave 9.8: fixed wrong setting keys in checklist auto-checks (C1), broken `forms` href (C2), compound gate for Documenso EOI readiness (C3), catch-and-log around `ensureSystemRoots` (C4), fresh-port berth empty state (H5), admin-sections-browser description (M4).
-- **Type-safety + drizzle leak audit** (types-auditor) — `any` casts, untyped `metadata` fields. (deferred)
-- **Build + deploy + prod readiness** (build-auditor) — Dockerfile review, env var validation. (deferred)
+- ✅ **Type-safety + drizzle leak audit** (types-auditor) — Wave 10.1: `Tx` type exported (C-1), berth-detail `useQuery<any>` replaced with `BerthDetailData` (C-2), parseBody adopted across 7 portal/public routes (C-3), `toAuditJson<T>` helper removed 21 `as unknown as Record<…>` casts (H-5). Drizzle leak check came back clean (no `$inferSelect` crossing the API boundary).
+- ✅ **Build + deploy + prod readiness** (build-auditor) — Wave 10.2: socket.io + 6 other native deps added to `serverExternalPackages` + COPY-in-Dockerfile (C-3), `NEXT_PUBLIC_APP_URL` validation (H-2), healthcheck PORT templatization (H-5), `NODE_ENV=production` in builder (M9), image-level HEALTHCHECK (M7). CSP `'unsafe-inline'` (H-1) deferred pending nonce middleware infrastructure.
 
 ### How to use this section