Update roadmap status with strict secretapi hardening and split-repo blocker

docs/roadmap-status.md

@@ -54,12 +54,16 @@ Implemented now:
 25. Owner-gated admin/support model documented in API contracts, terms, and conformance vectors.
 26. Local backend implementation (`web/backend/secretapi`) now serves membership endpoints, governance install/lease endpoints, sponsor-aware payer flow, and deterministic integration tests.
 27. Local backend member app channel endpoints now serve deterministic register/unregister, poll, idempotent ack, and owner-only support ticket flows with sqlite-backed event/audit state.
+28. Membership confirm now supports strict fail-closed mode (`SECRET_API_REQUIRE_ONCHAIN_TX_VERIFICATION`) that requires chain receipt verification when enabled.
+29. `secretapi` now validates critical config at startup and fails fast on invalid deploy combinations.
+30. `secretapi` now ships an explicit `.env.example` deployment template aligned to current endpoint/runtime requirements.
 
 Remaining in this repo:
 
 1. Wire live store checkout flow to production marketplace APIs when available.
 2. Replace deployment templates with real contract addresses after chain deployment.
 3. Add launcher/governance install UI that consumes governance installer APIs.
+4. Publish `launcher`, `governance`, and `contracts` split repos to Gitea once PAT/credential-helper auth is available in this environment.
 
 Cross-repo dependencies (kernel/backend/contracts):