Fix doc drift; document no-enforce-mode and universal publish

Corrections surfaced by doc-auditor + start9-spec-checker:
- testing.md: api suite 47 -> 54
- payments.md: FK enforcement confirmed at db/mod.rs:29
- startos-packaging.md: publish.sh now ships a universal s9pk
- licensing-tiers.md: record enforce-mode retirement and Creator caps
Refresh Current state for the StartOS submission-blocker work.

AGENTS.md

@@ -90,8 +90,10 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-licensi
 
 ## Open TODOs
 
-- Extend `publish.sh` to build + upload aarch64 (arm builds fine; only x86 ships
-  today), or narrow the manifest's arch claim. `riscv` target unverified.
+- Verify the universal multi-arch publish end-to-end: `publish.sh` now runs
+  `make universal` (one `keysat.s9pk`, both arches) instead of x86-only; the first
+  real publish must confirm the registry index lists both arches. `riscv` target
+  unverified (not in the manifest, so `make universal` excludes it).
 - StartOS Community Registry submission criteria — Start9 hasn't published the
   checklist; reach out directly when ready.
 - Registry icon doesn't render in the StartOS marketplace (see `guides/startos-packaging.md`).
@@ -105,15 +107,34 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-licensi
 
 - **Live**: server `immense-voyage.local` runs daemon `0.2.0:54` (migrations
   0020–0022). Registry `registry.keysat.xyz` publishes `:54`; four SDKs published;
-  `keysat.xyz` + `docs.keysat.xyz` deployed. **Prod is still `:54` — this
+  `keysat.xyz` + `docs.keysat.xyz` deployed. **Prod is still `:54` — the prior
   session's two P1 fixes are committed to source but NOT yet built/installed/
   published. Next release builds `:55`.**
+- **This session (UNCOMMITTED across 4 repos; docs + StartOS packaging, no daemon
+  logic changed)** — doc-auditor + start9-spec-checker + 2 reviewer passes, all
+  approved/no blockers; `tsc` + `bash -n` clean. By repo:
+  - *root* (Gitea): `testing.md` api 47→54; `payments.md` FK confirmed
+    (`db/mod.rs:29`); `startos-packaging.md` + this block updated for universal
+    publish; `licensing-tiers.md` gained the "no enforce mode / Creator caps" note.
+  - *keysat-docs* (Gitea): `integrate.html` phantom `GET /v1/licenses/{id}/status`
+    → real `POST /v1/validate` w/ `key`. **Needs `deploy-sites.sh docs` to go live.**
+  - *keysat daemon* (GitHub+gitea): new `instructions.md` (Start9-required);
+    manifest `packageRepo` + `docsUrls[1]` dead-link fixes; `v0.2.0.ts` stale-header
+    removed; `activateLicense.ts`/`showCredentials.ts` enforce-mode drift cleaned
+    (enforce retired — `self_license.rs:15`).
+  - *go SDK* (Gitea): README v0.1→v0.2.
+  - *operator-local* `~/.keysat/publish.sh` (gitignored, NOT committed): x86-only →
+    `make universal` (one `keysat.s9pk`, both arches). **Pending a verification build.**
+  All 4 StartOS submission blockers now addressed. Left for operator decision:
+  `integrate.html` BTCPay-only prereq/refund copy (no Zaprite mention). Commit =
+  4 per-repo commits (root, keysat-docs, go SDK are Gitea-only; daemon is
+  GitHub+gitea — also `git push gitea main`).
 - **`:52`/`:53` = multi-provider/merchant-profile model**: data model + backend
   resolution shipped and audited sound; resolution/CRUD query surface has tests.
   Both `:54` P0s (provider-injection test seam; Zaprite webhook-forgery re-confirm)
   remain fixed; live purchase + settle paths sound.
 
-- **Done this session (source only, awaiting `:55`)** — the two open P1s:
+- **Unshipped source work (awaiting `:55`)** — two P1s from the prior session:
   1. **Settle-amount tripwire.** `get_invoice_status` now returns
      `ProviderInvoiceSnapshot { status, amount }`; `audit_settle_amount` (shared by
      webhook + reconcile issue paths) WARNs + writes an `invoice.amount_mismatch`
@@ -150,19 +171,21 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-licensi
   errors return plain-text not JSON (breaks SDK `JSON.parse`); product `slug` has
   no validation (empty/300-char/meta chars stored); `GET /v1/admin/products`
   returns 405 though OpenAPI documents it; dep advisories (`sqlx`→≥0.8.1
-  RUSTSEC-2024-0363, `rustls-webpki`→≥0.103.12); **4 StartOS submission blockers** —
-  missing `instructions.md`, dead `packageRepo` (`…/keysat-startos`→`…/keysat`) +
-  `docsUrls` (`/docs/`→`/licensing-service/docs/`) manifest links, aarch64
-  declared-but-not-shipped; no CI + fmt/clippy/prettier unenforced.
+  RUSTSEC-2024-0363, `rustls-webpki`→≥0.103.12); **4 StartOS submission blockers**
+  (spec-checker-verified) all addressed and staged, pre-build — manifest
+  `packageRepo` (`…/keysat-startos`→`…/keysat`) and `docsUrls[1]`
+  (`docs/INTEGRATION.md`→`KEYSAT_INTEGRATION.md`, the real repo-root file) fixed;
+  `instructions.md` written (reviewer + doc-auditor signed off); aarch64 now shipped
+  via `publish.sh` `make universal` (one s9pk, both arches — pending a verification
+  build); no CI + fmt/clippy/prettier unenforced.
 
 - **Deferred (P3+ — bulk or later decision)**: `/v1/purchase` 400 vs
   `/v1/btcpay/webhook` 503 for the same no-provider cause; undocumented required
   `kind` on discount-codes; field-naming drift (`license_id`/`id`, machines `key`
   vs `license_key`, `redeem`/`purchase` `product` vs `validate` `product_slug`);
   migration self-heal `_sqlx_migrations` allowlist foot-gun; 2 KB unauth Zaprite
-  payload WARN-log; outbound-webhook SSRF (operator-only); stale
-  `versions/v0.2.0.ts:3-4` "NOT YET WIRED" comment; re-register the master Zaprite
-  webhook at the path-keyed URL; registry icon non-render (known platform limit);
+  payload WARN-log; outbound-webhook SSRF (operator-only); re-register the master
+  Zaprite webhook at the path-keyed URL; registry icon non-render (known platform limit);
   optional fmt/prettier standalone commit.
 
 - **Tests/build**: `cargo check` clean (1 intentional deprecation warning); full