diff --git a/STATUS.md b/STATUS.md
new file mode 100644
index 0000000..aa36bbe
--- /dev/null
+++ b/STATUS.md
@@ -0,0 +1,100 @@
+# Roundup — 2026-06-14
+
+Repos scanned (9 git): CRM, premier-gunner, recap-relay, recap, spark-control, Workout-log,
+ten31-transcripts, standards (meta/tooling).
+Skipped: **start-os** (external upstream — Start9Labs/start-os, no AGENTS.md); **15 non-git
+folders** under `~/Projects` (see Gaps).
+
+> Generated by `/roundup` — read-only across all repos; quotes priorities/states as found and
+> does not rank projects against each other. Overwritten each run; git history is the diff.
+
+## Per-project snapshot
+
+- **CRM** — Self-hosted venture-fund CRM + agentic AI layer, on Start9. Live `v0.1.0:74`,
+  healthy; `main` is **ahead** with a list-view soft-delete fix + 3 tests, not yet deployed.
+  In progress: reports-subsystem soft-delete sweep. Next: bump version + redeploy to ship the
+  queued fix.
+- **premier-gunner** — Kid-friendly soccer-training tracker PWA (StartOS s9pk). Live
+  `v0.1.6:0`, all features shipped, nothing in progress. Next: set a real login password;
+  confirm speed units.
+- **recap-relay** — Operator-side credit-metered AI relay (transcribe/diarize/analyze) +
+  internal-meetings; private Start9 only. At `0.2.124`; full eval done, all P0/P1 fixed.
+  In progress: open P2 queue (persist webhook dedup first).
+- **recap** — YouTube/podcast summarizer (StartOS s9pk + `recaps.cc` cloud). Live (app
+  `0.2.155`). In progress: **P0/P1 security fixes required before exposing the cloud to
+  untrusted users.** Next: fix the P0/P1s.
+- **spark-control** — StartOS controller for a dual DGX Spark cluster (vLLM swaps,
+  speech/embeddings/redaction). Live `v0.19.0:0`. In progress: Signal Engine flakiness
+  (transient GPU-busy) client-side remedy drafted; one CSRF click-through unverified.
+- **Workout-log** — Self-hosted multi-user workout logger (Next.js, StartOS s9pk). `v1.2.0:1`
+  (Next 15 / React 19 upgrade) built + sideloaded; local checks green. Pending: on-box boot
+  verification. Next: P3 hardening batch.
+- **ten31-transcripts** — macOS menu-bar app recording dual-track call audio → SparkControl
+  backend. Main clean + pushed, 73 tests pass, Release app built. In progress: Meet visual fix
+  (camera-off tiles) unverified. Next: persist backend URL + primary→fallback.
+- **standards** (meta/tooling) — Agent-operating standards + the live global fleet. Built:
+  capture→triage→roundup loop, `/new-project`, deny-by-default `.gitignore`; git-hygiene audit
+  done (2026-06-14). Next: the `/harden` quality-gate standard.
+
+## Priority queue (all projects + untriaged inbox)
+
+**P0 — recap (block cloud exposure to untrusted users):**
+- [P0] recap — arbitrary file write via `../../` path escape in library import (`:131-139`)
+- [P0] recap — SSRF with read-back in podcast download (unguarded `http.get`, any host)
+- [P0] recap — live Gemini key in git history (commit `d5046a0`, still active → rotate)
+
+**P1:**
+- [P1] recap — ESM `require("crypto")` ReferenceError in the license-purchase settle path
+- [P1] recap — global `currentFreeJob` lock serializes the entire multi-tenant cloud
+- [P1] recap — trial IP-cap + magic-link rate-limit bypass via spoofed `X-Forwarded-For`
+- [P1] recap — StartOS registry submission blocked (missing `instructions.md`, wrong repo URLs, license gate)
+- [P1] ten31-transcripts — mini-retrofit (no `.claude/`); **inbox (untriaged)** — see "Not yet pushed down"
+
+**P2:**
+- [P2] CRM — reports subsystem (~16 aggregate queries) still counts soft-deleted rows (next step #1)
+- [P2] CRM — `?limit=abc` crashes
+- [P2] recap-relay — persist webhook dedup so a restart can't double-credit/extend (`routes/credits.js:63`, `zaprite-webhook.js:27`)
+- [P2] recap-relay — BTCPay manifest/deps decision (hard-required vs. truly optional)
+- [P2] recap-relay — money-path unit tests; `cors()` scope off `/admin/*`; split 2225-line `routes/internal-meetings.js`; fix two AGENTS.md auth-doc drifts
+- [P2] spark-control — no automated tests (swap state machine, proxies, SSH wrapper, package) — biggest coverage gap
+- [P2] ten31-transcripts — guard `RecapAnalyzer.mmss()` against NaN/∞; rewrite stale README
+
+**P3 — deferred hardening / hygiene:**
+- [P3] recap — request-size caps, invoice-ID hijack binding, container root, in-memory rate-limit buckets, repo hygiene, packaging polish, doc reconciliation
+- [P3] recap-relay — no `/relay/*` rate limiting, container root, dashboard XSS, `lan-fetch` TLS off; versions prune; stale `/relay/health` version; bulk doc fixes
+- [P3] Workout-log — login timing oracle, CSP `unsafe-eval`, `/api/health` info disclosure, rate-limit map leak, `exerciseId` ownership on PATCH/sets POST, 30-day sessions, text max-length
+- [P3] spark-control — stale README, deprecated `@app.on_event`, hardcoded version, unescaped `innerHTML` sink, packaging placeholders
+- [P3] ten31-transcripts — reconcile `docs/` specs with reality, `SessionController` state-machine tests, smaller items in `EVALUATION.md`
+
+**Unprioritized — needs triage (actionable next-steps with no priority marker as found):**
+- CRM — bump version + rebuild/redeploy the queued list-view fix + tests; Grant+Jonathan freeze v2.0 canonical; build reply-all for Tier-B drafts; confirm Appendix-A + Maple/OpenSecret/Primal, then promote
+- premier-gunner — set a real login password; confirm speed unit (mph vs km/h); decide on "log another" same-category session
+- recap — persist provider preference server-side; apply Export ▾ to clip-collection panel; verify "Take Recaps home" licensing; confirm cloud paid-only vs. free-signed-in intent; Zaprite recurring (BLOCKED on Zaprite API); CI lint + type-check
+- spark-control — on-box CSRF click-through test; forward concurrency note to Signal Engine dev; concurrency sweep; parakeet-asr `--memory` cap; start the ROADMAP tech-debt list (pytest harness first)
+- Workout-log — tiered AI prompt formatting (JSON-schema output, etc.); (later) Next 15→16 upgrade; verify StartOS forwards real client IPs
+- ten31-transcripts — persist backend URL in Settings + primary→fallback on connection failure
+- standards — build the `/harden` quality-gate standard (item 1); the non-git-folder sweep
+
+## Not yet pushed down (inbox)
+
+These exist nowhere but `~/Projects/standards/INBOX.md` (1 untriaged item):
+- **ten31-transcripts** — `[chore][P1]` Mini-retrofit: add the inbox-check line, create
+  `.claude/settings.json`, normalize `.gitignore` to the deny-by-default canonical block
+  (+ `.env.*` / `!.env.example`), and decide on a `docs/guides/` reorg. → run `/triage` inside
+  ten31-transcripts to route it.
+
+## Proposed new projects
+
+None — no `(new)` / `(new:name)` items in the inbox.
+
+## Gaps
+
+- **start-os** — external upstream (`Start9Labs/start-os`); no AGENTS.md/ROADMAP. Out of scope
+  (not your project); skipped, not a deficiency.
+- **15 non-git folders under `~/Projects` are unprotected** (no git, no standards):
+  discount-watcher, expense-organizer, giga, Grand-Cayman-paddleboard, heart-rate, licensing,
+  one-river, satoshi-sleep, START9 PACKAGING, ten31-agents, ten31-command-center,
+  ten31-signal-engine, timestamp-converter, timestamp-newspaper, website-landing. Each needs
+  `git init` + retrofit, or an explicit "scratch, don't track" decision (tracked as the
+  standards item-6 non-git-folder sweep).
+- No stale-looking Current states — every snapshot is dated 2026-06-13/14.