docs(e2ee): update roadmap — Sprint 4.1/4.2 native SDKs complete

- Swift BLFieldEncrypt: 22 XCTest tests, CryptoKit AES-256-GCM
- Kotlin BLFieldEncrypt: 21/21 JUnit5 tests, javax.crypto AES-256-GCM
- Both wire-compatible with @bytelyst/field-encrypt EncryptedField JSON

docs/devops/END_TO_END_ENCRYPTION_ROADMAP.md

@@ -1,7 +1,7 @@
 # ByteLyst — End-to-End Encryption Implementation Roadmap
 
 > **Purpose:** Phased implementation plan for encryption across the ByteLyst ecosystem.  
-> **Status:** Phase 1 + Phase 2 (Sprint 3) COMPLETE — 6 product backends encrypted  
+> **Status:** Phase 1 + Sprint 3 + Sprint 4.1/4.2 COMPLETE — 6 backends + native SDKs  
 > **Author:** AI Architecture Review  
 > **Last updated:** 2026-07-12  
 > **Design doc:** [`END_TO_END_ENCRYPTION_DESIGN.md`](END_TO_END_ENCRYPTION_DESIGN.md)
@@ -280,48 +280,23 @@ Week 1-2     Week 3-4     Week 5-6     Week 7-8     Week 9-10    Week 11-14
 
 #### 4.1 Swift Platform SDK — `BLFieldEncrypt`
 
-- [ ] **4.1.1** Create `Sources/BLFieldEncrypt.swift` in `packages/swift-platform-sdk/`
+- [x] **4.1.1** Create `Sources/BLFieldEncrypt.swift` in `packages/swift-platform-sdk/`
-
+  - `BLEncryptedField` Codable struct + `BLFieldEncrypt` enum (CryptoKit AES-256-GCM)
-  ```swift
+  - encrypt/decrypt, AAD support, generateKey, keyFromHex, isEncrypted
-  import CryptoKit
+  - Data hex helpers (hexString, init?(hexString:))
-
-  public struct BLFieldEncrypt {
-      /// Encrypt a string field with AES-256-GCM
-      public static func encrypt(_ plaintext: String, key: SymmetricKey) -> EncryptedField
-      /// Decrypt an encrypted field
-      public static func decrypt(_ field: EncryptedField, key: SymmetricKey) -> String?
-      /// Check if a JSON value is an encrypted field
-      public static func isEncrypted(_ value: Any) -> Bool
-  }
-
-  public struct EncryptedField: Codable {
-      public let __encrypted: Bool  // always true
-      public let v: Int             // version
-      public let alg: String        // "aes-256-gcm"
-      public let ct: String         // ciphertext (base64)
-      public let iv: String         // IV (hex)
-      public let tag: String        // auth tag (hex)
-      public let dekId: String      // DEK identifier
-  }
-  ```
-
 - [ ] **4.1.2** Key derivation from Keychain-stored secret
-- [ ] **4.1.3** Unit tests (XCTest)
+- [x] **4.1.3** Unit tests (XCTest) — 22 tests in BLFieldEncryptTests.swift
 
 **Commit:** `feat(swift-sdk): add BLFieldEncrypt for client-side AES-256-GCM encryption`
 
 #### 4.2 Kotlin Platform SDK — `BLFieldEncrypt`
 
-- [ ] **4.2.1** Create `src/main/.../BLFieldEncrypt.kt` in `packages/kotlin-platform-sdk/`
+- [x] **4.2.1** Create `src/main/.../BLFieldEncrypt.kt` in `packages/kotlin-platform-sdk/`
-  ```kotlin
+  - `BLEncryptedField` data class + `BLFieldEncrypt` object (javax.crypto AES-256-GCM)
-  object BLFieldEncrypt {
+  - encrypt/decrypt, AAD support, generateKey, keyFromHex, isEncrypted
-      fun encrypt(plaintext: String, key: SecretKeySpec): EncryptedField
+  - ByteArray/String hex extension functions
-      fun decrypt(field: EncryptedField, key: SecretKeySpec): String?
-      fun isEncrypted(value: Any?): Boolean
-  }
-  ```
 - [ ] **4.2.2** Key derivation from BLSecureStore
-- [ ] **4.2.3** Unit tests (JUnit5)
+- [x] **4.2.3** Unit tests (JUnit5) — 21/21 passing in BLFieldEncryptTest.kt
 
 **Commit:** `feat(kotlin-sdk): add BLFieldEncrypt for client-side AES-256-GCM encryption`