diff --git a/AGENTS.md b/AGENTS.md
index cd69d60..095b809 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -92,10 +92,12 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
 
 ## Open TODOs
 
-- `riscv` build target is unverified and not declared in the manifest (so
-  `make universal` excludes it); revisit only if a riscv StartOS target appears.
-- StartOS Community Registry submission criteria — Start9 hasn't published the
-  checklist; reach out directly when ready.
+- `riscv` build target is unverified and not declared in the manifest; the wrapper `Makefile`
+  now pins `ARCHES` to `x86 arm` so no target (even a bare `make`) attempts it. Revisit only if
+  a riscv StartOS target appears.
+- StartOS Community Registry submission is **BLOCKED** (needs a `prepare.sh`; plus icon-render
+  and source-available-license questions to confirm with Start9) — detail in ROADMAP. Criteria
+  themselves still unpublished; reach out when ready.
 - Registry icon doesn't render in the StartOS marketplace (see `guides/startos-packaging.md`).
 - Split `audit:read` out of the blanket `:read` scope into its own tier so a
   Read-only scoped key can read dashboards/licenses but NOT the full audit log
@@ -111,31 +113,25 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
 
 ## Current state (2026-06-17)
 
-- **Live / canonical: `0.2.0:58`** — registry + `files.keysat.xyz/keysat.s9pk`, GitHub `v0.2.0-58`,
-  universal (x86_64 + aarch64); live box `immense-voyage.local` confirmed on `:58`. Migrations
-  through 0025; four SDKs published. Both public sites deployed (keysat.xyz, docs.keysat.xyz).
+- **Live / canonical: `0.2.0:58`** — universal s9pk at `files.keysat.xyz/keysat.s9pk` + GitHub `v0.2.0-58`;
+  live box `immense-voyage.local` on `:58`. Migrations through 0025; four SDKs published; two public sites
+  (keysat.xyz, docs.keysat.xyz) live. `keysat-registry-landing` deleted this session — local + all refs gone;
+  the GitHub + Gitea remote repos still need operator deletion (gh needs `delete_repo` scope).
 
-- **agent-payment-connect (slices 1–5) shipped in `:58`.** A `payment_providers:write` scoped key
-  connects BTCPay over the API, but only on a sandbox daemon for a non-mainnet store (fail-closed);
-  master/mainnet/production + disconnect stay master-only. Detail: `docs/guides/payments.md`.
+- **This session — documentation audit + fix sweep across every public repo and both sites** (all committed +
+  pushed to GitHub + gitea; sites redeployed and verified live): daemon docs → 0.2.0 (admin-UI replaces the
+  removed StartOS actions, Zaprite shipped, roles, runtime image, validate reasons); SDK READMEs fixed (the
+  Rust crate name/version was a copy-paste blocker) and expanded (TS/Python tiers, seats, free-license);
+  landing SDK snippets + tier-card fallback prices; docs change-tier example + install-step resequence;
+  Makefile pins `ARCHES=x86 arm`. No daemon source touched.
 
-- **Onboarding doc-harness — all `completed-clean`.** Stage 1 (SDK integration), Stage 2 (regtest
-  buyer-pays), and the **combined operator-order journey** (gate a paid product → buyer pays →
-  purchased license unlocks the gate) all pass docs-only under a scoped key. Rig:
-  `onboarding-harness/` (`stage2/run-stage2.sh` four-step brief; `probe.sh` mints `.live-env`);
-  walkthroughs in `stage2/STAGE2-RESULT.md`. Live docs now cover the case: `agent.html#connect-btcpay`
-  buyer-pays money path; landing got an "Example prompt" card + a two-path Install section
-  (Start9 one-click / sideload `keysat.s9pk`, vs. run-from-source on any Linux box — both
-  self-hosting, free at Creator tier, license to expand).
+- **Start9 Community Registry: BLOCKED** — functional criteria pass; needs `prepare.sh` + icon-render +
+  source-available-license sign-off from Start9 (ROADMAP). (Note: `registry.keysat.xyz` works as a marketplace
+  on a Start9 box; a plain browser/curl GET 404s **by design** — no HTML page is served there. Not an outage.)
 
-- **Next (priority order):**
-  1. Operator data action (needs master key): grant `unlimited_merchant_profiles` to Pro/Patron on
-     the live master (confirmed-absent; steps in Open TODOs).
-  2. 3 multi-profile UIs + split `audit:read` (ROADMAP / Open TODOs).
+- **Next (priority):** 1) Operator data action (master key): grant `unlimited_merchant_profiles` to Pro/Patron
+  on live master (steps in Open TODOs). 2) Delete registry-landing GitHub + Gitea remotes. 3) 3 multi-profile
+  UIs + split `audit:read`.
 
-- **Debt (P2/P3, see ROADMAP):** rate-limit purchase/redeem; `422`/`415` JSON; `slug` validation;
-  `set_product_entitlements_catalog` `rows_affected` guard; dep advisories (`sqlx`≥0.8.1,
-  `rustls-webpki`≥0.103.12); no CI / fmt-clippy unenforced; webhook SSRF; design-contract conformance.
-
-- **Tests/build:** full suite green (lib 18, api 65, subscriptions 7, upgrades 9, worker 3,
-  crosscheck 4, migrations 9 through 0025); `cargo check` + `npm run check` clean.
+- **Tests/build:** docs-only session, no code touched; last full suite green (lib/api/subscriptions/upgrades/
+  worker/crosscheck/migrations through 0025), `cargo check` + `npm run check` clean. Debt (P2/P3) in ROADMAP.
diff --git a/ROADMAP.md b/ROADMAP.md
index 781e5bc..e6e1319 100644
--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -31,7 +31,12 @@ Longer-term backlog. Near-term state lives in `AGENTS.md` → Current state.
 
 ## Packaging & distribution
 
-- Start9 Community Registry submission — criteria are unpublished; contact Start9 directly when ready.
+- Start9 Community Registry submission — a 2026-06-17 spec check found the wrapper passes the functional
+  criteria (manifest, interfaces, health check, backup/restore, BTCPay dep, actions) but submission is BLOCKED
+  on three items: (1) no `prepare.sh` to set up a clean Debian box for the first build (copy the one from
+  `hello-world-startos`); (2) the registry icon not rendering in the marketplace (may be operator-hosted-only —
+  confirm with Start9); (3) `LicenseRef-Keysat-1.0` is source-available but more restrictive than OSI — confirm
+  Start9 accepts it. Email Start9 on (2)+(3) before investing in (1). Submission criteria remain unpublished.
 
 ## Licensing model
 
@@ -58,10 +63,9 @@ The brand contract now lives in `design/DESIGN.md` + `design/tokens.tokens.json`
   badges-only) — `keysat-xyz-landing/index.html:384-385`. Set to 8px.
 
 **Structural (headline):**
-- All four surfaces inline their own copy of the CSS variables instead of importing the
-  canonical `design/brand/palette.css` (landing :33-56, registry :11-22, docs.css :7-21,
-  admin :9-25). Copies are currently exact but one edit from drift. Consolidate onto
-  `palette.css`.
+- All three surfaces inline their own copy of the CSS variables instead of importing the
+  canonical `design/brand/palette.css` (landing :33-56, docs.css :7-21, admin :9-25). Copies
+  are currently exact but one edit from drift. Consolidate onto `palette.css`.
 
 **Token gaps / drift (decide: tokenize the as-built value, or snap to an existing token):**
 - `14px` card radius used throughout the marketing landing — not a token (between `r-lg` 12