diff --git a/TODO.md b/TODO.md
index d5825a5..32be616 100644
--- a/TODO.md
+++ b/TODO.md
@@ -8,9 +8,12 @@
 
 ## Pending
 - [ ] #rep-student-touch Replace hover student popover with tap-to-open drawer for mobile `(repertoire.php, repertoire.css, repertoire-student-popover.js)`
-- [x] #rep-polish Polish: scroll-position memory on HTMX swap, animation tuning `(repertoire.css)` ✓
+
+## Deferred / Blocked
+- [ ] #tighten-csp Tighten CSP to remove 'unsafe-inline' + 'unsafe-eval' from script-src — blocked on HTMX's use of new Function() for 'unsafe-eval'; 'unsafe-inline' needs OverType init + flash-warning inline scripts moved to external files, plus maintenance.php + validate-access.php inline styles extracted
 
 ## Completed
+- [x] #rep-polish Polish: scroll-position memory on HTMX swap, animation tuning `(repertoire.css)` ✓
 - [x] #icon-color-verify Verify icon colors render correctly across all pages (header, admin tables, forms, dialogs, cleanup modal) ✓
 - [x] #sec-open-redirect Fix open redirect in tag.php + language.php (protocol-relative URL bypass via str_starts_with) ✓
 - [x] #build-pipeline Setup biome + rolldown + lightningcss build pipeline ✓