diff --git a/docs/refactor/clawnet.md b/docs/refactor/clawnet.md
index ce1d440a7..ac7eec571 100644
--- a/docs/refactor/clawnet.md
+++ b/docs/refactor/clawnet.md
@@ -288,26 +288,6 @@ Same `deviceId` across roles → single “Instance” row:
 
 ---
 
-# Execution checklist (ship order)
-- [x] **Device‑bound auth (PoP):** nonce challenge + signature verify on connect; remove bearer‑only for non‑local.
-- [x] **Role‑scoped creds:** issue per‑role tokens, rotate, revoke, list; UI/CLI surfaced; audit log entries.
-- [x] **Scope enforcement:** keep paired scopes in sync on rotation; reject/upgrade flows explicit; tests.
-- [x] **Approvals routing:** gateway‑hosted approvals; operator UI prompt/resolve; node stops prompting.
-- [x] **TLS pinning for WS:** reuse bridge TLS runtime; discovery advertises fingerprint; client validation.
-- [x] **Discovery + allowlist:** WS discovery TXT includes TLS fingerprint + role hints; node commands filtered by server allowlist.
-- [x] **Presence unification:** dedupe deviceId across roles; include role/scope metadata; “single instance row”.
-- [x] **Docs + examples:** protocol doc, CLI docs, onboarding + security notes; no personal hostnames.
-- [x] **Test coverage:** connect auth paths, rotation/revoke, approvals, TLS fingerprint mismatch, presence.
-
-Process per item:
-- Do implementation.
-- Fresh‑eyes review (scan for regressions + missing tests).
-- Fix issues.
-- Commit with Conventional Commit.
-- Move to next item.
-
----
-
 # Security notes
 
 - Role/allowlist enforced at gateway boundary.