docs: post-v0.7.1 surface sync (README + site + ROADMAP)

Three stale surfaces refreshed after the v0.7.1 cut + arm64 release:

README.md — Status section was 'v0.6.0 cut 2026-05-23'; updated to
v0.7.1 with the new prebuilt-binary inventory (4 artifacts: x86_64 +
arm64, each dynamic + static-musl) and the CI hardening additions
(ASan/UBSan + clang-tidy).

docs/index.html — hero eyebrow chip and footer meta both showed v0.6.0;
both bumped to v0.7.1.

ROADMAP.md — entire v0.7.x phase added as 'Phase 9 — Empirical
verification + operator briefing (DONE 2026-05-23, v0.7.1)'. Captures
everything since Phase 7+/8 (which were the v0.5–v0.6 era): the VM
verifier, mainline kernel fetch, 22 of 26 CVEs verified, --explain
mode, OPSEC notes, CVE metadata pipeline (CISA KEV + NVD CWE), 119
detection rules, 88-test harness, arm64-static binary, arch_support
field, marketing site. Plus an explicit 'open follow-ups' list (arm64
verification sweep, SIEM query templates, install.sh smoke test,
PackageKit provisioner, custom <=4.4 kernel image for dirty_cow, 9
deferred drift findings) and the 'wait-for-upstream blockers' list
(vmwgfx, dirtydecrypt, fragnesia).

README.md

@@ -197,12 +197,14 @@ also compile (modules with Linux-only headers stub out gracefully).
 
 ## Status
 
-**v0.6.0 cut 2026-05-23.** 31 modules across 26 CVEs, **22 empirically
+**v0.7.1 cut 2026-05-23.** 31 modules across 26 CVEs, **22 empirically
 verified** against real Linux VMs (Ubuntu 18.04 / 20.04 / 22.04 +
 Debian 11 / 12 + mainline kernels 5.15.5 / 6.1.10 from
-kernel.ubuntu.com). 88-test unit harness on every push.
+kernel.ubuntu.com). 88-test unit harness + ASan/UBSan + clang-tidy
+on every push. 4 prebuilt binaries (x86_64 + arm64, each in dynamic
++ static-musl flavors).
 
-Reliability + accuracy work in v0.6.0:
+Reliability + accuracy work in v0.7.x:
 - Shared **host fingerprint** (`core/host.{h,c}`) populated once at
   startup — kernel/distro/userns gates/sudo+polkit versions — exposed
   to every module via `ctx->host`.