docs(roadmap): record release checklist

docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md

@@ -224,7 +224,7 @@ Goal: the production-readiness checks run in automation, not only locally.
 - [x] **P8.4** Add or document compose smoke: build, start backend/web, hit `/health`, `/api/bootstrap`, and a web smoke endpoint. Commit: `cae5941`; Verified: `bash -n scripts/compose-smoke.sh`; `git diff --check`; `rg -n "smoke:compose|compose-smoke|3000:3045|NEXT_PUBLIC_NOTES_API_URL|/api/bootstrap|NODE_ENV=development" package.json README.md docker-compose.yml scripts/compose-smoke.sh`; `docker --version` failed locally with `command not found`, so live compose execution is deferred to Docker-capable environments. Added `pnpm run smoke:compose`, an executable compose smoke script that runs docker-prep, builds backend/web images, starts compose in local memory mode, checks backend `/health`, backend `/api/bootstrap`, and web `/`, then restores docker-prep changes and tears down by default; fixed compose web port mapping to `3000:3045`, added web build args, and replaced the backend healthcheck with a Node fetch check.
 - [x] **P8.5** Add secret scan and hardcoded token/color checks, reusing common platform scripts where possible. Commit: `694a0be`; Verified: `bash -n scripts/release-guard-audit.sh`; `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm run audit:release-guards'`; `git diff --check`; `rg -n "release-guards|audit:release-guards|release-guard-audit|Hardcoded color|Hardcoded token|secret-scan-repo" .github/workflows/ci.yml package.json scripts/release-guard-audit.sh`. Added `pnpm run audit:release-guards` and a CI `release-guards` job that installs `ripgrep`, reuses common-platform `secret-scan-repo.sh` when available, falls back to the repo-local scanner otherwise, blocks hardcoded hex/rgb colors in web/mobile product code, and blocks hardcoded token-like values outside docs/node_modules.
 - [x] **P8.6** Add dependency health workflow or scheduled check for `@bytelyst/*`, Next, React, Expo, Fastify, Vitest, and Playwright compatibility. Commit: `389a4c8`; Verified: `bash -n scripts/dependency-health.sh`; `rg -n "dependency-health|dependency:health|Dependency health|pnpm outdated|pnpm run typecheck" .github/workflows/dependency-health.yml package.json scripts/dependency-health.sh`; `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm run dependency:health'`; `git diff --check`. Added `pnpm run dependency:health` and a weekly/manual `Dependency Health — NoteLett` workflow that checks out common platform, links the expected workspace path, builds `@bytelyst/*`, installs with the frozen lockfile, runs a cross-surface typecheck compatibility sweep, prints key versions for `@bytelyst/*`, Next, React, Expo, Fastify, Vitest, and Playwright, emits `pnpm outdated -r --long` as a non-blocking report, and uploads the report artifact.
-- [ ] **P8.7** Add release notes template and production deploy checklist with environment variables, rollback, migrations, smoke tests, and monitoring links. Commit:
+- [x] **P8.7** Add release notes template and production deploy checklist with environment variables, rollback, migrations, smoke tests, and monitoring links. Commit: `6068284`; Verified: `git diff --check`; `rg -n "Release Notes Template|Required Environment Variables|Rollback Checklist|Migration And Seed|Monitoring Links|RELEASE_CHECKLIST" docs/RELEASE_CHECKLIST.md README.md`. Added `docs/RELEASE_CHECKLIST.md` with a release notes template, backend/web/mobile production environment variables, pre-deploy checklist, migration and seed checklist, deploy steps, rollback checklist, smoke-test references, monitoring-link placeholders, and release-record expectations; linked it from README.
 
 Acceptance criteria:
 - CI blocks obvious type, test, lint, E2E, Docker, secret, and design-token regressions.