diff --git a/docs/FEATURE_ROADMAP.md b/docs/FEATURE_ROADMAP.md
index 938f282..ae8e4d8 100644
--- a/docs/FEATURE_ROADMAP.md
+++ b/docs/FEATURE_ROADMAP.md
@@ -8,12 +8,19 @@ GuruConnect is a standalone remote-support product (ScreenConnect/Splashtop-clas
 stack. It ships independently of GuruRMM and integrates with it via a versioned contract (see
 `specs/native-remote-control/` and ADR-001).
 
-> **Active direction (2026-05-30): v2 reset.** Per [SPEC-002](specs/SPEC-002-v2-modernization-architecture.md),
-> GuruConnect is being rebuilt above the salvaged Windows-internals cores. The feature specs below
-> (SPEC-003–009) are **work-items inside the v2 phases**, not independent v1 backlog — see the mapping.
-> **Sprint 0 (do first):** surgical v1 hotfix closing the 3 relay-auth CRITICALs (delete the
-> JWT-as-agent-key branch; enforce blacklist + session-claim checks on the viewer WS) — the bypasses
-> are live and the full v2 rebuild is multi-month.
+> **Active direction: v2 reset — Phase 1 already landed (2026-05-30).** Per
+> [SPEC-002](specs/SPEC-002-v2-modernization-architecture.md), GuruConnect is being rebuilt above the
+> salvaged Windows-internals cores. **v2 Phase 1 (secure session core) is implemented in-place and
+> deployed** — secure-session-core **Tasks 1–7 are committed** ([plan](specs/v2-secure-session-core/plan.md)),
+> and the **3 audit CRITICALs are closed and live in production** (session-scoped viewer tokens + session-claim
+> match, blacklist-on-WS, agent-plane rejects user JWTs via per-agent `cak_` keys). The feature specs below
+> (SPEC-003–009) are **work-items inside the later v2 phases** — see the mapping.
+>
+> **Remaining to formally exit Phase 1:** secure-session-core **Task 8** (end-to-end verification +
+> `/gc-audit --pass=security` re-audit + the manual CRITICAL checks) and Code-Review sign-off on Tasks 3–5
+> (implemented without a local toolchain at the time; since built + deployed). Live HW-H.264 validation is
+> also pending — raw+Zstd remains the shipping default. ~~Sprint 0 (relay-auth CRITICAL hotfix)~~ **not
+> needed — those fixes shipped in Tasks 2–3.**
 
 ### v2 phase mapping of current specs
 
@@ -25,8 +32,10 @@ stack. It ships independently of GuruRMM and integrates with it via a versioned
 | **SPEC-005** (list view) · **SPEC-006** (search) · **SPEC-007** (installer) | **Phase 2 — dashboard** | built on the v2 dashboard + Phase-1 keys |
 | **SPEC-009** (documented API + tokens) | **Phase 3 — integration contract** | alongside `/api/integration/v1/` |
 
-> Schema note: SPEC-002 Phase 0's "fresh v2 schema" should already carry SPEC-003's inventory columns,
-> SPEC-004's `machine_uid`, and `connect_agent_keys` — born into v2, not retrofitted as later migrations.
+> Schema note: the v2 tenancy-ready schema + `connect_agent_keys` already exist (Task 1 / migration
+> `004_v2_secure_session_core.sql`). SPEC-004's per-agent-key identity binding is largely covered by
+> Tasks 1–3; what remains of SPEC-004 (deterministic `machine_uid`, TTL session reaping, operator bulk
+> removal) and SPEC-003's inventory columns are the additive Phase-2 migrations to fold onto that base.
 
 ---