diff --git a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
index 2f4fb09..82c13b2 100644
--- a/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
+++ b/.storkit/work/1_backlog/388_story_whatsapp_webhook_hmac_signature_verification.md
@@ -17,6 +17,7 @@ As a bot operator, I want incoming WhatsApp webhook requests to be cryptographic
 - [ ] Requests with missing or invalid signatures are rejected with 403 Forbidden
 - [ ] Verification is fail-closed: if signature checking is configured, unsigned requests are rejected
 - [ ] Existing bot.toml config is extended with any needed secrets (e.g. Meta app_secret for HMAC verification)
+- [ ] MUST use audited crypto crates (hmac, sha2, sha1, base64) — no hand-rolled cryptographic primitives
 
 ## Out of Scope