diff --git a/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md b/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md
index 3f21ab0..20c806c 100644
--- a/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md
+++ b/docs/PRODUCTION_READINESS_HANDOFF_ROADMAP.md
@@ -222,7 +222,7 @@ Goal: the production-readiness checks run in automation, not only locally.
 - [x] **P8.2** Add CI web E2E job or documented gated workflow with Playwright browser install/cache. Commit: `d929247`; Verified: `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm --filter @notelett/web run typecheck'`; `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm --filter @notelett/web exec playwright test e2e/release-flows.spec.ts --reporter=list --workers=1'`; `git diff --check`; `rg -n "web-e2e|Cache Playwright browsers|Install Playwright Chromium|Web Playwright E2E|pnpm run dev" .github/workflows/ci.yml web/playwright.config.ts`. Added a dedicated `web-e2e` CI job gated after the web job, with common-platform workspace linking, Playwright browser cache, Chromium install with dependencies, `pnpm --filter @notelett/web run test:e2e -- --reporter=list`, and Playwright report/test-results artifact upload. Updated Playwright webServer to use `pnpm run dev`.
 - [x] **P8.3** Add CI Docker build job for backend and web images. Commit: `7fb44d0`; Verified: `bash -n scripts/docker-prep.sh`; `COMMON_PLAT=/definitely/missing bash scripts/docker-prep.sh --restore`; `git diff --check`; `rg -n "docker-build|Prepare Docker tarball dependencies|Build backend image|Build web image|Restore Docker prep changes|COMMON_PLAT" .github/workflows/ci.yml scripts/docker-prep.sh`; `docker --version` failed locally with `command not found`, so image build execution is delegated to the GitHub Ubuntu runner. Added a `docker-build` CI job gated after backend/web jobs to prepare common-platform tarball dependencies, build backend and web Docker images with BuildKit secrets, and restore docker-prep changes; made `scripts/docker-prep.sh` support the current `../learning_ai/learning_ai_common_plat` path, `COMMON_PLAT` override, restore without a common-platform checkout, and Linux-safe package rewrites.
 - [x] **P8.4** Add or document compose smoke: build, start backend/web, hit `/health`, `/api/bootstrap`, and a web smoke endpoint. Commit: `cae5941`; Verified: `bash -n scripts/compose-smoke.sh`; `git diff --check`; `rg -n "smoke:compose|compose-smoke|3000:3045|NEXT_PUBLIC_NOTES_API_URL|/api/bootstrap|NODE_ENV=development" package.json README.md docker-compose.yml scripts/compose-smoke.sh`; `docker --version` failed locally with `command not found`, so live compose execution is deferred to Docker-capable environments. Added `pnpm run smoke:compose`, an executable compose smoke script that runs docker-prep, builds backend/web images, starts compose in local memory mode, checks backend `/health`, backend `/api/bootstrap`, and web `/`, then restores docker-prep changes and tears down by default; fixed compose web port mapping to `3000:3045`, added web build args, and replaced the backend healthcheck with a Node fetch check.
-- [ ] **P8.5** Add secret scan and hardcoded token/color checks, reusing common platform scripts where possible. Commit:
+- [x] **P8.5** Add secret scan and hardcoded token/color checks, reusing common platform scripts where possible. Commit: `694a0be`; Verified: `bash -n scripts/release-guard-audit.sh`; `zsh -lc 'source ~/.zshrc; export GITEA_NPM_TOKEN; pnpm run audit:release-guards'`; `git diff --check`; `rg -n "release-guards|audit:release-guards|release-guard-audit|Hardcoded color|Hardcoded token|secret-scan-repo" .github/workflows/ci.yml package.json scripts/release-guard-audit.sh`. Added `pnpm run audit:release-guards` and a CI `release-guards` job that installs `ripgrep`, reuses common-platform `secret-scan-repo.sh` when available, falls back to the repo-local scanner otherwise, blocks hardcoded hex/rgb colors in web/mobile product code, and blocks hardcoded token-like values outside docs/node_modules.
 - [ ] **P8.6** Add dependency health workflow or scheduled check for `@bytelyst/*`, Next, React, Expo, Fastify, Vitest, and Playwright compatibility. Commit:
 - [ ] **P8.7** Add release notes template and production deploy checklist with environment variables, rollback, migrations, smoke tests, and monitoring links. Commit: