diff --git a/AGENT_NOTES.md b/AGENT_NOTES.md
index 63fa49f..703ed02 100644
--- a/AGENT_NOTES.md
+++ b/AGENT_NOTES.md
@@ -4,8 +4,8 @@
 
 | Agent | Branch | Status |
 |-------|--------|--------|
-| OWL (owl-alpha) | `agent-owl` | ✅ Active — core features done |
-| Hermes (default) | `master` | ✅ Active — collaboration framework |
+| OWL (owl-alpha) | `master` | ✅ Active — core features + security fixes |
+| Hermes (default) | `agent/default/security-improvements` | ✅ Active — collaboration framework, monitoring |
 
 ## Work Queue
 
@@ -22,20 +22,31 @@
 - [x] Docker + Coolify deployment — OWL
 - [x] Seed data from existing ledger (88 loads, 41 shippers, 70 vehicles) — OWL
 - [x] Collaboration framework (AGENTS.md) — Hermes
+- [x] Monitoring script (freightdesk-repo-sync.sh) — Hermes
+- [x] Improvement roadmap (AGENT_INSIGHTS.md) — Hermes
+- [x] Security: remove hardcoded password, add setup form — OWL
+- [x] Security: soft-delete migration — OWL
+- [x] Security: role-based middleware (requireRole) — OWL + Hermes
+- [x] Merge agent/default/security-improvements — OWL
 
-### Pending
+### Pending (from AGENT_INSIGHTS.md roadmap)
+- [ ] CI/CD: GitHub Actions workflow for Coolify deployment
+- [ ] Observability: Pino logger + Prometheus /metrics
+- [ ] Testing: Jest unit tests for Load CRUD
+- [ ] Testing: integration smoke test
+- [ ] DB: versioned migration script
+- [ ] UX: debounced search on Loads list
+- [ ] UX: internationalisation (locales/*.json)
+- [ ] UX: cache-busting asset versioning
 - [ ] Client portal (shipper/driver login)
 - [ ] Invoice PDF generation
-- [ ] React charts on dashboard
-- [ ] WhatsApp parser improvements (more patterns)
-- [ ] Mobile-responsive polish
-- [ ] Supabase Row Level Security policies
-- [ ] API rate limiting tuning
 
 ## Change Notes
 
 - All core features implemented on `agent-owl`, merged to `master`
 - Supabase migrations ready in `supabase/migrations/`
 - Seed data in `supabase/seed_data.json`
-- Default admin: visit `/setup` to create account
+- First login: visit `/setup` to create admin account (no hardcoded password)
 - App runs on port 3000, Docker-ready
+- Auth: requireAuth + requireRole middleware in place
+- Merged Hermes security improvements (kept OWL's more complete requireRole)