diff --git a/docs/ARCHITECTURE.md b/docs/ARCHITECTURE.md
index e9998c5..6152aaf 100644
--- a/docs/ARCHITECTURE.md
+++ b/docs/ARCHITECTURE.md
@@ -423,6 +423,15 @@ This is an explicit, accepted MVP risk: compromise of the gateway↔backend
 network segment defeats backend authentication. Mitigated by network isolation;
 mutual auth is a future hardening step.
 
+**Short numeric codes** (email confirm-codes and Stage 8 friend codes) are stored
+only as SHA-256 hashes and are short-lived and single-use. The unauthenticated
+email path carries a tight per-IP sub-limit (5 / 10 min); the **friend-code redeem**
+is authenticated, so it rides the per-user limit (120 / min) and is further bounded
+by the code's 12 h TTL, single use, and **one live code per issuer** (which caps the
+valid-code population). Brute-forcing a 6-digit friend code within these limits is an
+accepted MVP risk with low blast radius (an unwanted friendship is removable/blockable);
+a dedicated redeem sub-limit or a longer code is the hardening step if abuse appears.
+
 ## 13. Deployment (informational)
 
 Single public origin, path-routed: the UI, the gateway public surface and the