docs: mark SEC_REVIEW F61 as fixed in 3556cd1

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (28 fixed, 14 open).
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (29 fixed, 13 open).
 
 ---
 
@@ -1977,6 +1977,24 @@
   `payment`, `usb`, `magnetometer`, `gyroscope`, `accelerometer`,
   `fullscreen`, `display-capture`, `clipboard-read`, etc.
 - **Severity: 1**
+- **Status:** Fixed. The narrow `geolocation=(), microphone=(),
+  camera=()` was extended to a full deny-list of every browser
+  feature the admin UI doesn't use:
+  `accelerometer`, `ambient-light-sensor`, `autoplay`, `battery`,
+  `bluetooth`, `camera`, `clipboard-read`, `display-capture`,
+  `encrypted-media`, `fullscreen`, `gamepad`, `geolocation`,
+  `gyroscope`, `hid`, `idle-detection`, `interest-cohort` (FLoC),
+  `magnetometer`, `microphone`, `midi`, `payment`,
+  `picture-in-picture`, `screen-wake-lock`, `serial`,
+  `speaker-selection`, `usb`, `web-share`, `xr-spatial-tracking`.
+  `clipboard-write` is left at its same-origin default on the UI
+  Caddyfile so the existing `rawTokenCopy` Alpine component on the
+  Tokens page can still write the freshly-issued raw token to the
+  clipboard; the api Caddyfile denies `clipboard-write` outright
+  because the api never serves a page that needs it. Both
+  Caddyfiles validated with `frankenphp validate --adapter
+  caddyfile -e APP_ENV=production` — both report "Valid
+  configuration".
 
 ### F62 — CSP `style-src 'unsafe-inline'` enables CSS-attribute-selector exfiltration
 - **File:** `ui/docker/Caddyfile:33`