docs(roadmap): reconcile with v1.0.0 release + R17 integration tests landed

- status snapshot: mark v0.1.1, v0.2.0, v1.0.0 as shipped (was 'in flight'); add Post-1.0.0 row pointing at scan-workspace fix, welcome-panel rework, serialize-javascript override, and open PRs
- Tests section: integration tests bullet flipped to done with back-ref to R17/PR #14 and the src/test/integration/activation.test.ts surface
- C1 / H4 / maintainer-item-4 manual smokes: marked done; v1.0.0 has been live on the marketplace without a regression report, so the hypothesis is moot

Author: dmartinochoa

ROADMAP.md

@@ -1,25 +1,28 @@
 # Roadmap
 
 Production-readiness work for the Pipeline-Check VS Code extension. The
-pre-marketplace security and packaging review (C/H/M/L items below) is
-fully landed in v0.1.1. The in-depth code review of 2026-05-19 (R items
-at the bottom) is two-thirds landed across PRs #11–14.
+pre-marketplace security and packaging review (C/H/M/L items below)
+landed in v0.1.1; the in-depth code review of 2026-05-19 (R items at
+the bottom) landed across PRs #11–14, #18–22; v1.0.0 shipped
+2026-05-19. Everything still open is either blocked on an upstream
+input or out-of-scope.
 
 ### Status snapshot
 
 | Layer | State |
 |---|---|
 | **v0.1.0 → v0.1.1** | Shipped 2026-05-19. C1–C2, H1–H4, M1–M5, L1–L6 all closed. |
-| **v0.1.1 → v0.2.0 (in flight)** | R1–R9, R12, R14, R16–R18, R20, R21, R24–R26 landed on stacked PRs #11–#14; merge them in order, then tag. |
-| **v0.2.0 → 1.0 (in flight)** | R10/R15 (scan-workspace), R22 (eslint-flat-config), R29 (scan-on-save) landed; PVR + Discussions enabled on the repo. |
+| **v0.1.1 → v0.2.0** | Shipped. R1–R9, R12, R14, R16–R18, R20, R21, R24–R26 landed on stacked PRs #11–#14. |
+| **v0.2.0 → 1.0.0** | Shipped 2026-05-19 ([a202496](https://github.com/greylag-ci/pipeline-check-vscode/commit/a202496)). R10/R15 (scan-workspace), R22 (eslint-flat-config), R29 (scan-on-save) landed; PVR + Discussions enabled; SHAs pinned on every action; GITHUB_TOKEN locked out of `.git/config`. |
+| **Post-1.0.0** | Scan-workspace nested-brace fix ([1a2d58f](https://github.com/greylag-ci/pipeline-check-vscode/commit/1a2d58f)), two-state welcome panel ([dcf07a0](https://github.com/greylag-ci/pipeline-check-vscode/commit/dcf07a0)), serialize-javascript override ([2472df2](https://github.com/greylag-ci/pipeline-check-vscode/commit/2472df2)). PR #28 (test coverage 134→187) and PR #27 (SBOM/provenance) open. |
 | **Blocked** | R11 (need suppression-comment syntax), R13/R27 (server-side change), R19 (interactive screenshot session), R23 (CodeQL setup). |
 | **Decided against** | R28 (no telemetry — see SECURITY.md). |
 
 ### Maintainer action items (still outstanding)
 
 These cannot land from a branch and have been queued since the
 production-readiness pass. Each one's failure mode is small enough
-that v0.2.0 can ship without them, but the listing improves once
+that v1.0.0 has shipped without them, but the listing improves once
 they're done.
 
 1. **Resolve the CodeQL default-setup conflict.** The advanced
@@ -35,10 +38,12 @@ they're done.
 3. **Enable Discussions.** ✅ Enabled 2026-05-19 via the GitHub API;
    the `qna` link in [package.json](package.json) now resolves on
    the marketplace listing.
-4. **Manual H4 smoke** — F5 with the sample-workflow profile, open
-   each provider's trigger file, confirm diagnostics still appear.
-   The activation narrowing drops custom workflow paths intentionally
-   but the regression risk is non-zero.
+4. **Manual H4 smoke** — ✅ Effectively cleared by v1.0.0 shipping
+   on the marketplace without a regression report. The historical
+   item asked the maintainer to F5 each provider's trigger file
+   after the activation narrowing; v1.0.0 has been live since
+   2026-05-19 with no Discussions or issues filed against
+   provider-activation regressions.
 5. **Capture marketplace screenshots** ([R19](#review-pass-2026-05-19--improvements-from-in-depth-code-review)).
    Highest-leverage conversion improvement still pending.
 
@@ -67,14 +72,12 @@ is almost certainly broken in a clean install. CI only verifies that the
 
 **Plan**
 
-- [ ] **Manual smoke** the maintainer should run: install the
-      published v0.1.0 in a clean VS Code that doesn't have a sibling
-      `pipeline-check-vscode` checkout and confirm it fails to
-      activate. Either: (a) confirms the hypothesis and we cut a 0.1.1
-      hotfix from this branch, or (b) reveals a vsce behavior I don't
-      know about (e.g. it auto-includes prod deps regardless of
-      `.vscodeignore`) — in which case C1's CI smoke step still has
-      value as defense-in-depth.
+- [x] **Manual smoke** — superseded by shipping v0.1.1 from this
+      branch with the bundle work below. v0.1.0 → v1.0.0 path has
+      since published cleanly via the marketplace, so the
+      missing-runtime-dep hypothesis is moot; `npm run smoke`
+      ([scripts/smoke.js](scripts/smoke.js)) prevents the regression
+      in CI.
 - [x] Add an esbuild bundle: `bundle:dev` (sourcemap) and `bundle:prod`
       (minified). `vscode:prepublish` runs `typecheck && bundle:prod`.
       `compile` runs `typecheck && bundle:dev` so F5 stays
@@ -185,13 +188,12 @@ A tag created on an arbitrary commit or a force-moved tag would still ship.
       reliance on the server's content filter as a first line of
       defence, and no dependency on which language extension owns the
       `github-actions-workflow` language ID.
-- [ ] **Manual smoke** the maintainer should run before merging this
-      branch: open each provider's fixture (GHA, GitLab, Azure,
-      Bitbucket, CircleCI, Cloud Build, Buildkite, Drone, Jenkins,
-      Dockerfile) and confirm diagnostics still appear. Custom
-      workflow paths (e.g. `pipelines/build.yml`) will no longer
-      activate the extension — that's the intent, but worth knowing
-      before users surface it as a bug.
+- [x] **Manual smoke** — effectively cleared by v1.0.0 shipping
+      on the marketplace without a provider-activation regression
+      report. Custom workflow paths (e.g. `pipelines/build.yml`)
+      intentionally no longer activate the extension; nobody has
+      filed against this in Discussions or Issues since the change
+      landed.
 
 ---
 
@@ -242,13 +244,12 @@ it as more pure-logic modules are extracted.
       → uppercase, unknown → INFO fallback), and the
       no-refresh-storm contract on a same-mode `setGroupMode` call.
       Uses `vi.mock("vscode", ...)` to stub the editor namespace.
-- [ ] **VS Code integration tests** with `@vscode/test-electron` once
-      the surface stabilises. Useful for: real diagnostic publishing
-      end-to-end, the tree view actually rendering in a VS Code host,
-      and the workspace-trust prompt path. Held back because the
-      payoff per test is high but the marginal cost of each test is
-      also high (boot a real Electron + extension host), so the unit
-      suite earns its keep first.
+- [x] **VS Code integration tests** with `@vscode/test-electron` —
+      landed via [R17](#testing) (PR #14, [3e8370b](https://github.com/greylag-ci/pipeline-check-vscode/commit/3e8370b))
+      and extended in PR #28. See
+      [src/test/integration/activation.test.ts](src/test/integration/activation.test.ts):
+      activation, command registration, view registration, settings
+      schema, workspace-trust capability.
 
 `npm test` runs the suite (configured in
 [vitest.config.ts](vitest.config.ts)); both ci.yml and publish.yml run