diff --git a/docs/audits/FASTIFY_CORE_AUDIT_AND_ROADMAP_2026-03-06.md b/docs/audits/FASTIFY_CORE_AUDIT_AND_ROADMAP_2026-03-06.md
index 54085dcf..2959956d 100644
--- a/docs/audits/FASTIFY_CORE_AUDIT_AND_ROADMAP_2026-03-06.md
+++ b/docs/audits/FASTIFY_CORE_AUDIT_AND_ROADMAP_2026-03-06.md
@@ -1024,6 +1024,10 @@ The ecosystem finishes with fewer duplicate patterns and fewer partial migration
   - Scope: confirmed shared JWT helper migrations committed in product backends with isolated backend typechecks passing; verified commits so far: `learning_ai_clock` `8cc21d8`, `learning_ai_fastgap` `84b6da6`
   - Commit: `PENDING_DOC_UPDATE_COMMIT_SHA`
   - Status: In progress
+- [x] **Increment 5 — Post-migration review fixes**
+  - Scope: audit pass over recent Fastify-core rollout fixes; restored `mcp-server` issuer validation via tested local auth helper, repaired missing `platform-service` imports after helper migration, and isolated `platform-service` bootstrap tests from startup side effects
+  - Commit: `63b0d20`
+  - Status: Completed
 
 ## P0 — Must Do
 
@@ -1036,6 +1040,24 @@ The ecosystem finishes with fewer duplicate patterns and fewer partial migration
 ## Open TODOs / Questions
 
 - **TODO 1** — Reconcile repo-state inconsistency during product backend verification: `LysnrAI`, `MindLyst`, `JarvisJr`, and `PeakPulse` backend server files were validated with the shared helper shape, but only `ChronoMind` and `NomGap` showed commit-worthy diffs in git during this sweep. Confirm whether those other repos were already migrated previously or whether local workspace state masked pending diffs.
+- **TODO 2** — Full `platform-service` suite still intermittently exits with Vitest worker teardown `EPERM kill` in this environment even when the isolated `src/server.test.ts` passes. Treat this as environment/test-runner follow-up unless it reproduces as a deterministic assertion failure.
+
+## Review Findings — 2026-03-06 Follow-up Pass
+
+- **Finding 1 — `mcp-server` auth regression risk**
+  - Severity: High
+  - Issue: the shared JWT helper migration temporarily dropped explicit issuer validation in `services/mcp-server/src/server.ts`.
+  - Fix: moved verification into `services/mcp-server/src/lib/auth.ts` as `verifyJwtToken(...)` with `issuer: 'bytelyst-platform'` enforced; updated server usage and added direct regression tests in `services/mcp-server/src/lib/auth.test.ts`.
+
+- **Finding 2 — `platform-service` import breakage after refactor**
+  - Severity: High
+  - Issue: the helper migration left `verifyToken` and `JwtPayload` unresolved in `services/platform-service/src/server.ts` after imports were shuffled.
+  - Fix: restored the imports at the top of the module and revalidated bootstrap behavior.
+
+- **Finding 3 — `platform-service` bootstrap test side effects**
+  - Severity: Medium
+  - Issue: `services/platform-service/src/server.test.ts` still triggered startup side effects such as seeding, migration calls, diagnostics subscriber registration, and trigger-job startup during test import.
+  - Fix: mocked those startup side-effect modules directly and asserted the expected wiring instead of allowing noisy background behavior during the bootstrap test.
 
 ## P1 — Should Do