docs: record edut.dev infra cutover execution status

docs/deployment/edut-dev-infra-cutover-checklist.md

@@ -326,3 +326,25 @@ Only after all previous gates pass:
 1. Execute naming/commercial migration sweep.
 2. Enforce drift checks in CI.
 3. Cut release and decommission old host after soak.
+
+## Execution Status (2026-02-19)
+
+Completed on `edut-prod` (`5.78.148.229`):
+
+1. Server hardening baseline (UFW, fail2ban, unattended upgrades, root SSH disabled, dedicated users).
+2. Docker + Gitea stack active at `git.edut.dev`.
+3. `edut` org and repos created: `web`, `launcher`, `contracts`, `governance`, `kernel`, `platform-docs`.
+4. Full repo history migrated and local remotes switched to `git.edut.dev`.
+5. Mirror artifact refs (`refs/remotes/origin/*`) removed from migrated repos.
+6. Host routing policy enforced:
+   - `git.edut.dev`: active Gitea
+   - `api.edut.dev`: active `secretapi`
+   - `edut.dev`, `www.edut.dev`: placeholder response only
+7. `api.edut.dev/healthz` verified over HTTP and HTTPS.
+8. Hardcoded `git.workvsg.com` references removed from active scripts/manifests/docs (migration checklist references intentionally retained as historical context).
+
+Remaining explicit follow-through:
+
+1. Old host read-only freeze/decommission timing.
+2. Optional branch protection/runners/secrets policy hardening in Gitea.
+3. Then begin the semantic sweep on migrated repos.