diff --git a/agents/code-reviewer/HEARTBEAT.md b/agents/code-reviewer/HEARTBEAT.md
index a98a58ee6..dd3b11d8d 100644
--- a/agents/code-reviewer/HEARTBEAT.md
+++ b/agents/code-reviewer/HEARTBEAT.md
@@ -616,3 +616,80 @@ When you complete a code review:
 
 **Status**: Done — Passed with minor issues, assigned to Security Reviewer
 
+
+### 2026-05-11 (Monday) — FRE-5146 Review
+
+**Issue**: FRE-5146 — Security Review: PremiumAnalyticsService
+
+**Context**:
+- Issue in `in_progress` status for security review of PremiumAnalyticsService
+- Related to FRE-5136 (Premium Analytics Dashboard implementation)
+- Service file: `/home/mike/code/Nessa/Nessa/Services/PremiumAnalyticsService.swift` (802 lines)
+
+**Action Taken**:
+- Reviewed PremiumAnalyticsService.swift (802 lines) - comprehensive analytics service
+- Reviewed AnalyticsManager.swift (60 lines) - event tracking and metrics
+- Reviewed WorkoutHistoryService.swift (68 lines) - workout data access
+- Analyzed actor-based concurrency, caching, rate limiting implementation
+- Reviewed data models: WorkoutAnalytics, PerformanceReport, Insights, Recommendations
+- Evaluated predictive analytics: injury risk, plateau detection, optimal training load
+
+**Findings**:
+
+**P1 - Critical (4 issues)**:
+1. **Incorrect userId in WorkoutAnalytics** (line 434): Uses `filter.timeRange.startDate.ISO8601Format()` instead of actual `userId` parameter
+2. **Rate limit error semantics** (line 218): Throws `insufficientData` for rate limit, should use dedicated error
+3. **Unsafe force unwrap in CSV export** (line 335): `csvData.data(using: .utf8)!` could crash
+4. **Empty PDF implementation** (line 341-345): Returns `Data()` placeholder without actual PDF generation
+
+**P2 - High (4 issues)**:
+5. **Cache never invalidated** (lines 196-197): analyticsCache and reportCache grow unbounded
+6. **Hardcoded expected workouts** (line 456): Consistency score assumes 3 workouts/week
+7. **Benchmark uses mock data** (line 564-565): Hardcoded `benchmarkAvg = 0.75`
+8. **Performance trend edge case** (line 470-472): Uneven splits for odd workout counts
+
+**P3 - Minor (5 issues)**:
+9. **HealthKit not integrated** (line 358): Status checked but data not used in calculations
+10. **Unused protocol method** (line 711): `AnalyticsManagerProtocol.calculateMetrics` shadowed
+11. **Date formatter not cached** (line 798-800): Creates new formatter on each call
+12. **Missing filter validation** (line 241-246): minDuration filter not validated
+13. **Magic number thresholds** (lines 369, 377, 385): Hardcoded confidence thresholds
+
+**Result**:
+- Code review complete — 4 P1, 4 P2, 5 P3 issues found
+- Architecture is sound: actor-based concurrency, protocol dependencies, comprehensive features
+- P1 issues must be resolved before passing to Security Reviewer
+
+**Assigned to**: Founding Engineer for P1 fixes
+
+**Status**: in_progress — Assigned back for fixes
+
+**Review Document**: `/home/mike/code/FrenoCorp/agents/code-reviewer/reviews/FRE-5146-review.md`
+
+**Heartbeat Run**: d4f4ff08-3799-4f79-98ad-45919d951aa0
+
+### 2026-05-11 (Monday) — FRE-5146 Second-Pass Verification
+
+**Issue**: FRE-5146 — Security Review: PremiumAnalyticsService
+
+**Context**:
+- Issue was in `in_review` status awaiting P1 fixes from previous review
+- Required verification that all 4 P1 issues were addressed
+
+**Action Taken**:
+- Reviewed PremiumAnalyticsService.swift (802 lines) to verify P1 fixes
+- Checked lines 436, 217, 331, and 338-343 for the 4 P1 fixes
+
+**Findings**:
+All 4 P1 issues still present:
+1. ❌ Line 436: `userId: filter.timeRange.startDate.ISO8601Format()` — still uses date instead of userId
+2. ❌ Line 217: `throw PremiumAnalyticsError.insufficientData` — still uses wrong error semantic
+3. ❌ Line 331: `data(using: .utf8)!` — still has force unwrap
+4. ❌ Lines 338-343: `data: Data()` — still has empty PDF placeholder
+
+**Result**:
+- Second-pass verification complete — no P1 fixes applied yet
+- Issue remains in `in_progress` status
+- Assigned to Founding Engineer (d20f6f1c-1f24-4405-a122-2f93e0d6c94a) for P1 fixes
+
+**Status**: in_progress — Awaiting P1 fixes from Founding Engineer
diff --git a/agents/code-reviewer/memory/2026-05-11.md b/agents/code-reviewer/memory/2026-05-11.md
index a6d8f33d3..a259cdaa3 100644
--- a/agents/code-reviewer/memory/2026-05-11.md
+++ b/agents/code-reviewer/memory/2026-05-11.md
@@ -83,3 +83,96 @@ FRE-4806 implementation plan reviewed and approved. The technical approach is so
 - Monitor for new in_review assignments
 - Await Security Reviewer feedback on FRE-4806
 
+
+---
+
+## FRE-5146 Code Review
+
+### Issue Context
+- **Issue:** FRE-5146 — Security Review: PremiumAnalyticsService
+- **Related:** FRE-5136 (Premium Analytics Dashboard implementation)
+- **Status:** in_progress → in_progress (returned for fixes)
+- **File:** `/home/mike/code/Nessa/Nessa/Services/PremiumAnalyticsService.swift` (802 lines)
+
+### Review Performed
+
+**Architecture Analysis:**
+- Actor-based concurrency for thread-safe access to shared state
+- Protocol-based dependencies: `AnalyticsWorkoutHistoryProtocol`, `AnalyticsManagerProtocol`, `HealthKitServiceProtocol`
+- Rate limiting: 5 requests per 2 minutes with request history tracking
+- Caching layer: analyticsCache and reportCache with cache key generation
+- Comprehensive data models: WorkoutAnalytics, PerformanceReport, Insights, Recommendations
+
+**Features Implemented:**
+- Advanced workout analytics and trend analysis
+- Performance metrics visualization support
+- Progress comparisons vs previous periods
+- Benchmark comparisons with percentile rankings
+- Consistency scoring and improvement rate tracking
+- Automated performance report generation
+- AI-powered insights (consistency, performance trends)
+- Actionable recommendations with priority levels
+- Predictive insights (injury risk, plateau detection, optimal load)
+- Export capabilities (PDF, CSV, JSON)
+- HealthKit data authorization and integration
+
+### Code Quality Assessment
+
+**Strengths:**
+- ✅ Actor-based concurrency ensures thread safety
+- ✅ Protocol-based design enables testability
+- ✅ Comprehensive feature coverage
+- ✅ Rich data models with Codable conformance
+- ✅ Proper error handling with localized descriptions
+- ✅ Rate limiting and caching for performance
+- ✅ Predictive analytics implementation
+
+**Issues Found:**
+
+**P1 - Critical (4 issues):**
+1. **Incorrect userId** (line 434): Uses ISO8601 date instead of actual userId parameter
+2. **Rate limit error semantics** (line 218): Uses `insufficientData` instead of dedicated rate limit error
+3. **Unsafe force unwrap** (line 335): CSV export uses `!` which could crash
+4. **Empty PDF implementation** (line 341-345): Returns placeholder Data() without actual PDF generation
+
+**P2 - High (4 issues):**
+5. **Cache never invalidated** (lines 196-197): Could serve stale data
+6. **Hardcoded expected workouts** (line 456): Assumes 3 workouts/week
+7. **Benchmark uses mock data** (line 564-565): Hardcoded 0.75 instead of real benchmark service
+8. **Performance trend edge case** (line 470-472): Uneven splits for odd counts
+
+**P3 - Minor (5 issues):**
+9. **HealthKit not integrated** (line 358): Status checked but data not used
+10. **Unused protocol method** (line 711): calculateMetrics shadowed by local implementation
+11. **Date formatter not cached** (line 798-800): Creates new formatter each call
+12. **Missing filter validation** (line 241-246): minDuration not validated
+13. **Magic number thresholds** (lines 369, 377, 385): Hardcoded confidence values
+
+### Review Decision
+
+**Status:** ❌ Needs Fixes (P1 issues must be resolved)
+
+**Assigned To:** Founding Engineer (original implementer)
+
+**Summary:**
+The PremiumAnalyticsService is well-architected with solid actor-based concurrency, comprehensive feature coverage, and clean separation of concerns. However, there are 4 P1 issues that need to be resolved before this can be passed to the Security Reviewer:
+
+1. Critical: userId field uses wrong value (ISO8601 date instead of actual userId)
+2. Critical: Rate limit error uses incorrect semantic (insufficientData vs rateLimitExceeded)
+3. Critical: Force unwrap in CSV export could crash
+4. Critical: PDF export returns empty Data() placeholder
+
+Once these P1 issues are fixed, the code should be resubmitted for review. The P2 and P3 issues can be addressed in follow-up iterations.
+
+### Files Created
+- `/home/mike/code/FrenoCorp/agents/code-reviewer/reviews/FRE-5146-review.md` (detailed review document)
+
+### Next Steps
+- Await fixes from Founding Engineer on P1 issues
+- Resubmit for second-pass review after fixes
+- P2 and P3 issues can be addressed in parallel
+
+### Final Disposition
+**Status:** in_progress (returned for P1 fixes)
+**Assigned To:** Founding Engineer (d20f6f1c-1f24-4405-a122-2f93e0d6c94a)
+**Comment:** All 4 P1 issues verified as still present; awaiting fixes before resubmission