diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index 1972062..978c8b3 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -41,14 +41,8 @@ jobs:
       - name: Ruff format
         run: ruff format --check app/ tests/ fpaste
 
-      - name: Type check (informational)
-        run: |
-          errors=$(mypy app/ --ignore-missing-imports 2>&1 | grep -c "error:" || true)
-          echo "mypy found $errors type errors"
-          if [ "$errors" -gt 20 ]; then
-            echo "::warning::mypy errors increased to $errors (baseline: 20)"
-          fi
-        continue-on-error: true
+      - name: Type check
+        run: mypy app/ tests/ fpaste --ignore-missing-imports
 
   security:
     name: Security Scan
diff --git a/TASKLIST.md b/TASKLIST.md
index 973c969..b2c277f 100644
--- a/TASKLIST.md
+++ b/TASKLIST.md
@@ -11,12 +11,6 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 | ☐      | Create Ansible deployment role
 | ☐      | Add Kubernetes manifests (Deployment, Service, ConfigMap)
 
-## Priority 3: Quality
-
-| Status | Task
-|--------|--------------------------------------------------------------
-| ☐      | Fix mypy type errors (currently ignored)
-
 ## Priority 4: Documentation
 
 | Status | Task
@@ -28,6 +22,7 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 
 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2024-12    | Fix all mypy type errors (now enforced in CI)
 | 2024-12    | Enhance CI with security-tests job, SBOM generation, memory checks
 | 2024-12    | Complete pentest remediation (CRYPTO-001, TIMING-001)
 | 2024-12    | Complete pentest remediation (HASH-001, ENUM-001)
diff --git a/TODO.md b/TODO.md
index 10ea965..a639eba 100644
--- a/TODO.md
+++ b/TODO.md
@@ -17,6 +17,7 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 
 ## Observations
 
+- Mypy type errors fixed: now enforced in CI (was informational)
 - CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks
 - Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
 - PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
@@ -42,7 +43,6 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 
 ## Debt
 
-- Mypy has pre-existing type errors (runs with --ignore-missing-imports)
 - Could add more deployment examples (Kubernetes, Ansible role)
 
 ## External Dependencies