docs: sweep stale Kamino-harvest-stub framing across registry

[alrimarleskovar]

Summary

Doc-debt sweep: aligns the public-facing registry (MAINNET_READINESS.md, README.md, audit + MEV + canary docs) with the codebase after the Kamino harvest path landed and closed #233.

The harvest implementation has been live for a while (real redeem_reserve_collateral CPI as a redeem-all + redeposit-principal round-trip in programs/roundfi-yield-kamino/src/lib.rs:272), but several places in the doc set still framed it as "stub returning realized=0" or "staged behind audit". An auditor opening the repo today reads a register that doesn't match the code — bad signal during external review.

Changes

File	Change
MAINNET_READINESS.md § 4.5	🟡⛔ → ✅ with real-implementation summary (redeem-all + redeposit-principal, PrincipalLoss guard, slippage guard inherited from PR #124)
MAINNET_READINESS.md § 4.1	Dropped #233 from canary gate list; annotated #230 with #319 blocked-upstream status
MAINNET_READINESS.md § 1.5	Updated "pitch-vs-shipped framing" tagline (dropped "Kamino deposit ≠ harvest", added /reputacao Demo Studio reflection)
MAINNET_READINESS.md § 7 critical path	Reworked dependency-order list: surfaced Agave 2.x (#319) as the live blocker, removed harvest path as a TODO, noted TVL caps + harvest already done
docs/security/audit-readiness.md § Pitch vs shipped	"Harvest is stub" row rewritten — both deposit + harvest paths shipped, in scope, swap mechanism unchanged
docs/security/mev-front-running.md § 2.4	Kamino-sandwich vector reframed: bounded today (slippage guard + PrincipalLoss revert); Jito bundling demoted to operator concern
docs/security/mev-front-running.md § 3 summary table	harvest_yield + deposit_idle_to_yield rows updated from ❌ (stub) → ⚠️ Yes — bounded with the actual mitigations
docs/operations/mainnet-canary-plan.md § smoke flow	Yield branch is unconditional (was: "if #233 lands before canary")
README.md Yield Waterfall paragraph	Reflects both deposit and harvest paths shipped via real Kamino CPIs

What this PR is NOT

• No code changes. Pure documentation. Zero CI risk on the program side.
• Not opinionated on the Agave 2.x migration (feat(toolchain): Agave 2.x migration (#230) — BLOCKED on upstream mpl-core #319). That PR remains draft and upstream-blocked; this sweep only references the current state.
• Not a re-audit. Doesn't introduce new claims — only removes claims that are no longer accurate.

Test plan

• grep -rn "harvest.*stub\|realized=0\|harvest.*post-audit\|deposit ≠ harvest" returns no remaining hits in tracked docs
• Manual review by maintainer for tone/framing consistency
• No code changes → no CI dependency beyond the markdown lint lane

---

Generated by Claude Code

[vercel]

Deployment failed with the following error:

Resource is limited - try again in 24 hours (more than 100, code: "api-deployments-free-per-day").

Learn More: https://vercel.com/alrimarleskovars-projects?upgradeToPro=build-rate-limit