diff --git a/plan.md b/plan.md
index 26394f2..0c2e1d5 100644
--- a/plan.md
+++ b/plan.md
@@ -12,26 +12,26 @@
 
 ## 审计任务清单
 
-- [ ] **Task 1**: 读取 `AdminGoodsSaveHandle.php` — 定位 "Undefined array key 'id'" 最可能出现的行
-  - [Pending: council/SecurityEngineer]
+- [x] **Task 1**: 读取 `AdminGoodsSaveHandle.php` — 定位 "Undefined array key 'id'" 最可能出现的行
+  - [Done: council/SecurityEngineer] → Primary: Line 77 `$r['id']`
 
-- [ ] **Task 2**: 分析 ShopXO `Db::name()` 表前缀行为 — `vr_seat_templates` vs `vrt_vr_seat_templates`
-  - [Pending: council/SecurityEngineer]
+- [x] **Task 2**: 分析 ShopXO `Db::name()` 表前缀行为 — `vr_seat_templates` vs `vrt_vr_seat_templates`
+  - [Done: council/SecurityEngineer] → 等价，不存在问题
 
-- [ ] **Task 3**: 分析 `find($templateId)` 返回 null 时的处理逻辑
-  - [Pending: council/SecurityEngineer]
+- [x] **Task 3**: 分析 `find($templateId)` 返回 null 时的处理逻辑
+  - [Done: council/SecurityEngineer] → Secondary: Line 71 访问 `$template['seat_map']` 无空安全
 
-- [ ] **Task 4**: 分析 `$configs` JSON 解码后的类型安全性 — 数组访问下标验证
-  - [Pending: council/SecurityEngineer]
+- [x] **Task 4**: 分析 `$configs` JSON 解码后的类型安全性 — 数组访问下标验证
+  - [Done: council/SecurityEngineer] → 部分安全，is_array 检查存在
 
-- [ ] **Task 5**: 分析 `selected_rooms` 数据结构与类型匹配问题
-  - [Pending: council/SecurityEngineer]
+- [x] **Task 5**: 分析 `selected_rooms` 数据结构与类型匹配问题
+  - [Done: council/SecurityEngineer] → 类型匹配正确（均为字符串），但无空安全
 
-- [ ] **Task 6**: 审计 `SeatSkuService::BatchGenerate` 和 `$data['item_type']` 访问安全性
-  - [Pending: council/SecurityEngineer]
+- [x] **Task 6**: 审计 `SeatSkuService::BatchGenerate` 和 `$data['item_type']` 访问安全性
+  - [Done: council/SecurityEngineer] → BatchGenerate 安全，item_type 有 ?? '' 兜底
 
-- [ ] **Task 7**: 汇总根因分析，输出修复建议 → `reviews/SecurityEngineer-AUDIT.md`
-  - [Pending: council/SecurityEngineer]
+- [x] **Task 7**: 汇总根因分析，输出修复建议 → `reviews/SecurityEngineer-AUDIT.md`
+  - [Done: council/SecurityEngineer] → 报告已生成，含完整根因 + 修复代码
 
 ---