diff --git a/.kiro/steering/tech.md b/.kiro/steering/tech.md
index 56190cd..23eb5c8 100644
--- a/.kiro/steering/tech.md
+++ b/.kiro/steering/tech.md
@@ -106,6 +106,18 @@ No ESLint is configured for backend — the pipeline uses `node -c` syntax check
 | Staging | http://71.85.90.9:3100 | Auto-deploy on master push |
 | Local dev (frontend only) | http://localhost:3000 | React dev server with hot-reload, proxies API to :3001 |
 
+## Secure Context Constraints
+
+All environments serve over **plain HTTP** (not HTTPS). This means browser APIs that require a [secure context](https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts) are **not available** in production or staging:
+
+- `navigator.clipboard` (Clipboard API) — use `document.execCommand('copy')` with a hidden textarea instead
+- `navigator.share` (Web Share API)
+- `crypto.subtle` (Web Crypto API)
+- `navigator.credentials` (Credential Management API)
+- Service Workers and Push Notifications
+
+When writing frontend code that needs clipboard, sharing, or crypto functionality, always use the non-secure fallback pattern. Do not use `navigator.clipboard.writeText()` or similar secure-context APIs.
+
 ## CI/CD Pipeline
 
 ### Infrastructure
diff --git a/backend/migrations/run-all.js b/backend/migrations/run-all.js
index d337612..3c80b38 100644
--- a/backend/migrations/run-all.js
+++ b/backend/migrations/run-all.js
@@ -29,6 +29,7 @@ const POSTGRES_MIGRATIONS = [
     'add_archer_templates_table.js',
     'add_queue_remediation_notes_table.js',
     'add_remediate_workflow_type.js',
+    'add_notifications_table.js',
 ];
 
 async function runAll() {