Docs: mark R01-N15 fixed, refresh SPEC §9 / §13

Code fix landed in d16bff4. Updates REVIEW_01.md status block and
suggested-ordering line, adds an §9 Shipped entry, and prepends the
fix + prior docs commit to the §13 git log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

SPEC.md

@@ -1048,6 +1048,22 @@ with a `BOOTSTRAP_ADMIN` audit row.
       unchanged. *New sprint* stays in the header as the one
       quick-action admins reach for from any page.
 
+- [x] **R01-N15 — `noreferrer` added to external task URL link**
+      (`d16bff4`). The user-controlled task link in
+      `views/sprints/_task_list.twig` previously rendered with
+      `rel="noopener"` only — that blocks `window.opener` access but
+      still leaks the originating `/sprints/{id}` URL via the `Referer`
+      header to whatever URL an admin saved as `t.url`. Sprint IDs are
+      sequential integers, so a hostile `t.url` could confirm the
+      existence of internal sprints just by inspecting its access
+      logs. Switched to `rel="noopener noreferrer"`. The fix is
+      deliberately narrow: the `/sprints/{id}/present` anchor in
+      `views/sprints/show.twig` keeps `rel="noopener"` because it is
+      same-origin and the Referer leak the finding describes does not
+      apply (browsers send the same-origin Referer to the same origin
+      anyway). Pure twig edit; no test count change. Fourth fix from
+      `doc/REVIEW_01.md`.
+
 - [x] **R01-N01 — Local-admin password is hash-only (no plaintext fallback)**
       (`857df15`). `src/Auth/LocalAdmin.php` previously read the password
       verbatim from `LOCAL_ADMIN_PASSWORD` and compared it with
@@ -1217,6 +1233,8 @@ before acting — nothing here is load-bearing once it grows stale.
 ## 13. Git history (as of this writing)
 
 ```
+d16bff4 Fix R01-N15: add noreferrer to external task URL link
+48a351c Docs: mark R01-N01 fixed, refresh SPEC §9 / §11 / §13
 857df15 Fix R01-N01: hash-only LOCAL_ADMIN_PASSWORD_HASH (no plaintext fallback)
 f075e12 Docs: mark R01-N04 fixed, refresh SPEC §9 / §13
 296883c Fix R01-N04: drop unused SESSION_SECRET from env template + docs

doc/REVIEW_01.md

@@ -326,7 +326,14 @@ note. Do not delete entries — they're history.
 
 ### R01-N15 — `target="_blank"` task URL anchor uses `rel="noopener"` only
 - **Severity**: MEDIUM (Privacy; small).
-- **Status**: open.
+- **Status**: fixed-in-`d16bff4` — the user-controlled task link in
+  `views/sprints/_task_list.twig` now emits `rel="noopener noreferrer"`,
+  so the `Referer` header no longer leaks the originating
+  `/sprints/{id}` URL when an admin clicks an attacker-set `t.url`.
+  Scope intentionally narrow: the `/sprints/{id}/present` anchor in
+  `views/sprints/show.twig` was left as `rel="noopener"` because it is
+  same-origin and the Referer leak the finding describes does not
+  apply.
 - **Where**: `views/sprints/_task_list.twig` line 213.
 - **What**: `rel="noopener"` blocks `window.opener` access, but the
   `Referer` header still leaks the origin URL (`/sprints/{id}`) to the
@@ -647,7 +654,7 @@ A reasonable cadence (do not treat as binding):
 1. ~~**R01-N02** (homepage info disclosure)~~ — fixed in `7fd849b`. Also
    closes R01-N31.
 2. ~~**R01-N04** (`SESSION_SECRET` doc cleanup)~~ — fixed in `296883c`.
-3. **R01-N15** (`rel="noopener noreferrer"`) — one-character fix.
+3. ~~**R01-N15** (`rel="noopener noreferrer"`)~~ — fixed in `d16bff4`.
 4. **R01-N11** (audit column whitelist) — defensive, trivial.
 5. ~~**R01-N01** (local-admin password hashing)~~ — fixed in `857df15`
    (hash-only, no plaintext fallback per operator decision).