diff --git a/docs/E1_Incomplete_Features_Audit.md b/docs/E1_Incomplete_Features_Audit.md
new file mode 100644
index 0000000..c1608c3
--- /dev/null
+++ b/docs/E1_Incomplete_Features_Audit.md
@@ -0,0 +1,176 @@
+# E-1 Incomplete Features Audit
+
+**Date:** 2026-03-29
+**Branch:** culurien
+
+---
+
+## 1. SIGNED PACKAGE DOWNLOADS
+
+### Current State
+- **downloads.go:92-98**: Comment block with TODO — `GetSignedPackage` is stubbed out but the code path falls through to unsigned binary serving
+- **Migration 016**: `agent_update_packages` table EXISTS with columns: id, version, platform, architecture, binary_path, signature, checksum, file_size, created_at, created_by, is_active
+- **Server handlers**: `SignUpdatePackage` and `ListUpdatePackages` handlers EXIST in `agent_updates.go` (lines 424, 459) — these are functional
+- **Agent side**: Agent does NOT call `/downloads/updates/:package_id` (zero grep results). The A-2 update download endpoint is now auth-protected but unused by agents
+- **Build orchestrator**: `agent_build.go`, `build_orchestrator.go`, `build_types.go` exist — these handle cross-platform agent binary compilation
+
+### Assessment
+The signed package infrastructure is 80% complete:
+- DB schema: EXISTS
+- Sign endpoint: EXISTS
+- List endpoint: EXISTS
+- Download endpoint: EXISTS (was protected in A-3)
+- Agent-side download + verify: MISSING
+- Wire `downloads.go:92` to query DB instead of commented-out stub: 1 line fix
+
+---
+
+## 2. CONFIGURABLE CHECK-IN INTERVALS & TIMEOUTS
+
+### Hardcoded Values
+
+| Value | Location | Hardcoded |
+|-------|----------|-----------|
+| Offline check frequency | main.go:429 | 2 minutes |
+| Offline threshold | main.go:436 | 10 minutes |
+| Sent command timeout | timeout.go:28 | 2 hours |
+| Pending command timeout | timeout.go:29 | 30 minutes |
+| Token cleanup interval | main.go:445 | 24 hours |
+| Timeout check interval | timeout.go:40 | 5 minutes |
+
+### Settings Infrastructure
+
+| Component | Status |
+|-----------|--------|
+| `security_settings` table | EXISTS (migration 020) |
+| `security_settings_audit` table | EXISTS (migration 020) |
+| `scanner_config` table | EXISTS (migration 027) |
+| `SecuritySettingsService` | EXISTS — has GetSetting, SetSetting, ValidateSetting |
+| Security settings API | EXISTS (7 routes re-enabled in A-3) |
+| General settings API | EXISTS (timezone only — 3 routes) |
+| Scanner config API | EXISTS (3 routes for scanner timeouts) |
+| Settings UI page | EXISTS (`Settings.tsx`) — timezone + dashboard refresh only |
+| Security settings UI | EXISTS (`SecuritySettings.tsx`) — categories and events |
+
+### Assessment
+The settings infrastructure EXISTS but the operational timeouts (offline threshold, command timeout, etc.) are not wired to it. The `security_settings` table is designed for security-specific settings. General operational settings would need either a new table or reuse of the existing infrastructure with a new category. The scanner_config table already handles per-scanner timeouts, suggesting the pattern could be extended.
+
+**Effort: LOW-MEDIUM** — The DB, API, and UI patterns exist. Need to add timeout values to `security_settings` (or a new `operational_settings` table) and wire the hardcoded constants to read from DB at startup.
+
+---
+
+## 3. INSTALL/LOGS UI (AgentUpdates.tsx)
+
+### Stubs Found
+
+| Location | Stub | What's Missing |
+|----------|------|----------------|
+| `AgentUpdates.tsx:184` | `console.log('Install update:', update.id)` | API call to install endpoint |
+| `AgentUpdates.tsx:193` | `console.log('View logs for update:', update.id)` | API call to logs endpoint |
+| `AgentUpdatesEnhanced.tsx:93` | `api.installUpdate` not in API client | Missing API method |
+| `AgentUpdatesEnhanced.tsx:141` | `api.getCommandLogs` not in API client | Missing API method |
+
+### Backend Status
+- Install endpoint (`POST /updates/:id/install`): EXISTS and functional
+- Logs endpoint (`GET /logs`): EXISTS and functional
+- Command logs per update: needs a filtered query but infrastructure exists
+
+### Assessment
+**Frontend-only fix** — backend endpoints exist. The UI needs:
+1. Wire `Install` button to existing `POST /updates/:id/install` API
+2. Wire `Logs` button to existing `GET /updates/:id/logs` API
+3. Add `installUpdate` and `getCommandLogs` to the API client (`api.ts`)
+
+**Effort: LOW** — pure frontend wiring.
+
+---
+
+## 4. SECURITY SETTINGS UI
+
+### Backend Status
+| Method | Status |
+|--------|--------|
+| GetAllSecuritySettings | EXISTS — returns settings from DB |
+| GetSecuritySettingsByCategory | EXISTS |
+| UpdateSecuritySetting | EXISTS |
+| ValidateSecuritySettings | EXISTS |
+| ApplySecuritySettings | EXISTS |
+| GetSecurityAuditTrail | PLACEHOLDER — returns empty array (DEV-020) |
+| GetSecurityOverview | PLACEHOLDER — returns all settings as overview (DEV-020) |
+
+### Frontend Status
+- `SecuritySettings.tsx`: EXISTS — full category-based settings UI with save/validate
+- `SecurityEvents.tsx`: EXISTS — event display component
+- `useSecurity.ts`: EXISTS — calls `/security/overview`
+- `useSecuritySettings.ts`: EXISTS — CRUD operations
+
+### Assessment
+The security settings pipeline is functional except for two placeholder endpoints. The audit trail needs the `security_settings_audit` table query (table exists, query not written). The overview needs a summary aggregation query.
+
+**Effort: LOW** — write 2 queries for the placeholder handlers.
+
+---
+
+## 5. TYPESCRIPT BUILD ERRORS
+
+**Total unique error locations: 217**
+
+| Error Code | Count | Description |
+|------------|-------|-------------|
+| TS6133 | 112 | Unused declared variables |
+| TS2339 | 49 | Property does not exist on type |
+| TS2322 | 20 | Type mismatch |
+| TS2367 | 4 | Comparison type mismatch |
+| TS7006 | 3 | Implicit any parameter |
+| TS2353 | 3 | Object literal unknown property |
+| TS2345 | 3 | Argument type mismatch |
+| Other | 23 | Various |
+
+**Top affected files:**
+- `AgentHealth.tsx` — 10 errors (type mismatches on security status)
+- `AgentUpdatesEnhanced.tsx` — 6 errors (missing API methods, undefined state)
+- `ChatTimeline.tsx` — multiple unused variables
+- `SecuritySettings.tsx` — type issues
+
+**Note:** The Vite production build PASSES (uses `vite build` not `tsc`). These are strict TypeScript errors that Vite's esbuild transpilation ignores. The app runs correctly despite these type errors.
+
+---
+
+## 6. FEATURE COMPLETENESS MATRIX
+
+| Feature | DB Schema | API Endpoint | Frontend UI | Status |
+|---------|-----------|--------------|-------------|--------|
+| Signed package download | EXISTS | EXISTS (stub wiring) | MISSING (no agent-side) | 80% |
+| Configurable timeouts | PARTIAL (security only) | PARTIAL (security only) | PARTIAL (timezone only) | 40% |
+| Install/Logs UI | EXISTS | EXISTS | STUB (console.log) | 85% |
+| Security audit trail | EXISTS (table) | PLACEHOLDER | EXISTS (UI calls it) | 70% |
+| Security overview | EXISTS (settings table) | PLACEHOLDER | EXISTS (UI calls it) | 70% |
+
+---
+
+## 7. PRIORITIZATION
+
+| Rank | Feature | Value | Infrastructure | Effort | Notes |
+|------|---------|-------|----------------|--------|-------|
+| 1 | Install/Logs UI | HIGH | 85% complete | LOW | Frontend wiring only |
+| 2 | Security audit trail + overview | MEDIUM | 70% complete | LOW | 2 DB queries |
+| 3 | Configurable timeouts | MEDIUM | 40% complete | MEDIUM | Need to wire hardcoded values to DB |
+| 4 | Signed package download | HIGH (for upgrades) | 80% complete | MEDIUM | Agent-side download + verify needed |
+
+**Note for Fimeg:** The signed package download (rank 4) is prerequisite for the agent self-upgrade feature that was explicitly requested. The infrastructure is mostly there — the missing piece is agent-side download and Ed25519 verification of the downloaded package.
+
+---
+
+## FINDINGS SUMMARY
+
+| ID | Feature | Severity | Finding | Location |
+|----|---------|----------|---------|----------|
+| F-E1-1 | Signed download | MEDIUM | Stub code commented out, needs 1-line DB lookup fix | downloads.go:92-98 |
+| F-E1-2 | Signed download | HIGH | Agent has no package download/verify code | aggregator-agent/ (missing) |
+| F-E1-3 | Timeouts | MEDIUM | 6 hardcoded operational values not configurable | main.go, timeout.go |
+| F-E1-4 | Install UI | LOW | Install button is console.log stub | AgentUpdates.tsx:184 |
+| F-E1-5 | Logs UI | LOW | Logs button is console.log stub | AgentUpdates.tsx:193 |
+| F-E1-6 | Install UI | MEDIUM | API client missing installUpdate method | AgentUpdatesEnhanced.tsx:93 |
+| F-E1-7 | Audit trail | LOW | GetSecurityAuditTrail returns empty array | security_settings.go (DEV-020) |
+| F-E1-8 | Overview | LOW | GetSecurityOverview returns raw settings | security_settings.go (DEV-020) |
+| F-E1-9 | TypeScript | MEDIUM | 217 strict TS errors (112 unused vars, 49 property errors) | aggregator-web/src/ |