docs: mark SEC_REVIEW F6 as fixed in d119b72

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

doc/SEC_REVIEW.md

@@ -11,7 +11,7 @@
 >
 > Each finding is referenced as **F<N>** for later citation.
 >
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2, 42 sev-1.
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (1 fixed, 26 open), 42 sev-1.
 
 ---
 
@@ -155,6 +155,27 @@
   multiplies allowed attempts by N silently. No persistent (DB / Redis)
   backing.
 - **Severity: 2**
+- **Status:** Fixed in `d119b72`. State moved behind a `ThrottleStore`
+  abstraction; production wires `FileThrottleStore`, a flock-protected
+  JSON file under `sys_get_temp_dir()` (overridable via
+  `LOGIN_THROTTLE_PATH`). All FrankenPHP workers in one container share
+  the same file: counters survive worker recycle and a single counter
+  is incremented across the worker pool. Mutations take an exclusive
+  lock on a sibling `.lock` file and write through a temp file + rename,
+  so readers always see a consistent snapshot. Stale entries
+  (`lockedUntil + 24 h < now`) are GC'd opportunistically. The file
+  lives on the container's ephemeral writable layer, so a container
+  restart still clears it — preserving the documented operator-unlock
+  path. Multi-replica deployments still require sticky-LB mode (SPEC's
+  documented topology). Regression tests in
+  `ui/tests/Unit/Auth/FileThrottleStoreTest.php`
+  (`testFailureRecordedOnOneInstanceIsVisibleToAnother`,
+  `testClearOnOneInstanceIsVisibleToAnother`,
+  `testCorruptFileIsTreatedAsEmpty`,
+  `testStaleEntriesGarbageCollected`,
+  `testWritesGoThroughTempPlusRename`,
+  `testResetUnlinksFile`) and
+  `LocalLoginTest::testFailuresArePersistedToConfiguredFilePath`.
 
 ### F7 — Username enumeration via response timing on local login
 - **File:** `ui/src/Auth/LocalLoginController.php:77-78`