docs/operator/runbooks/cloud-targets.md

@@ -318,7 +318,7 @@ az monitor activity-log list \
 
 ## V3-Pro forward path
 
-Tracked at `cowork/WORKSPACE-ROADMAP.md` under "Adapter hardening":
+Tracked under "Adapter hardening" on the project roadmap:
 
 - **AWS CloudFront direct-attach** — UpdateDistribution after an ACM
   ImportCertificate so the CloudFront edge picks up the new cert

docs/operator/runbooks/disaster-recovery.md

@@ -238,7 +238,7 @@ remains trusted by relying parties until its `notAfter` (typical
    openssl x509 -in new-cert -noout -issuer
    ```
 
-**Future:** when the HSM/PKCS#11 driver bundle (`cowork/hsm-pkcs11-
+**Future:** when the HSM/PKCS#11 driver bundle (planned;
 driver-prompt.md`) ships, this rotation procedure changes
 substantially — the HSM-backed key never moves, only the cert wrap
 rotates. The signer interface seam is the load-bearing prerequisite

docs/operator/runbooks/expiry-alerts.md

@@ -217,7 +217,7 @@ dedup on the `notification_events` table guards against that).
 
 ## V3-Pro forward path
 
-Tracked at `cowork/WORKSPACE-ROADMAP.md` under "Adapter hardening":
+Tracked under "Adapter hardening" on the project roadmap:
 
 - Per-owner / per-team / per-tenant channel routing (the matrix is
   per-policy today, not per-owner).