diff --git a/upstream/sync-rounds/2026-05-12.md b/upstream/sync-rounds/2026-05-12.md
index c7d66f0..52a7ba4 100644
--- a/upstream/sync-rounds/2026-05-12.md
+++ b/upstream/sync-rounds/2026-05-12.md
@@ -226,3 +226,12 @@ PRs 1–4 can land in parallel. PR 5 must be last.
 
 - The 3 deferred net-new skills (`tinystruct-patterns`, `ios-icon-gen`, `flox-environments`). Open as a separate "ECC net-new skills" round once round 2 lands.
 - The schema split between `lastSyncedSha` and `lastEvaluatedSha` (would change the validator + drift workflow). Defer to its own PR.
+
+## Backports to upstream ECC
+
+While porting `0dcde13` (block-no-verify shell-words rewrite) in PR [#68](https://github.com/Jamkris/everything-gemini-code/pull/68), CodeRabbit's round-3 review surfaced two real bypass holes in the upstream rewrite that EGC inherited verbatim:
+
+- **`core.hooksPath` case-sensitivity bypass** (critical) — `git -c core.hookspath=…` slipped past the guard because the comparison was case-sensitive while Git config keys are case-insensitive.
+- **`-tn` false positive** (major) — `COMMIT_SHORT_OPTIONS_WITH_VALUE` was missing `'t'`, so `git commit -tn templatefile` was falsely blocked as a `-n` (no-verify) bypass.
+
+Both fixes shipped to EGC in [#68](https://github.com/Jamkris/everything-gemini-code/pull/68) (commit `fbf7908`). They were also backported upstream to ECC as [`affaan-m/everything-claude-code#1843`](https://github.com/affaan-m/everything-claude-code/pull/1843) per the dual-PR pattern in `CONTRIBUTING.md`. This is the first contribution flowing the other direction from EGC's sync rounds.