diff --git a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
deleted file mode 100644
index 36c2587..0000000
--- a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-name: "WhatsApp webhook HMAC signature verification"
----
-
-# Story 388: WhatsApp webhook HMAC signature verification
-
-## User Story
-
-As a bot operator, I want incoming WhatsApp webhook requests to be cryptographically verified, so that forged requests from unauthorized sources are rejected.
-
-## Acceptance Criteria
-
-- [ ] Meta webhooks: validate X-Hub-Signature-256 HMAC-SHA256 header using the app secret before processing
-- [ ] Twilio webhooks: validate request signature using the auth token before processing
-- [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
-- [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
-- [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
-
-## Out of Scope
-
-- TBD
diff --git a/.storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md b/.storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md
deleted file mode 100644
index 3379a2a..0000000
--- a/.storkit/work/1_backlog/389_story_whatsapp_phone_number_allowlist_authorization.md
+++ /dev/null
@@ -1,21 +0,0 @@
----
-name: "WhatsApp phone number allowlist authorization"
----
-
-# Story 389: WhatsApp phone number allowlist authorization
-
-## User Story
-
-As a bot operator, I want to restrict which phone numbers can interact with the bot, so that only authorized users can send commands.
-
-## Acceptance Criteria
-
-- [ ] New optional allowed_phones list in bot.toml for WhatsApp (similar to Matrix allowed_users)
-- [ ] When configured, only messages from listed phone numbers are processed; all others are silently ignored
-- [ ] When not configured (empty or absent), all phone numbers are allowed (backwards compatible)
-- [ ] Unauthorized senders are logged but receive no response
-- [ ] The allowlist applies to all message types: commands, LLM conversations, and async commands (htop, delete)
-
-## Out of Scope
-
-- TBD
diff --git a/.storkit/work/5_done/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md b/.storkit/work/6_archived/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md
similarity index 100%
rename from .storkit/work/5_done/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md
rename to .storkit/work/6_archived/384_story_whatsapp_markdown_to_whatsapp_formatting_conversion.md