diff --git a/apps/web/messages/en.json b/apps/web/messages/en.json
index 8b8e89fa..becb1679 100644
--- a/apps/web/messages/en.json
+++ b/apps/web/messages/en.json
@@ -20285,8 +20285,8 @@
     },
     "rolloutRiskReadOnly": {
       "eyebrow": "部署風險只讀卡",
-      "title": "CD 已完成，但 ArgoCD 風險仍不能假裝全綠",
-      "subtitle": "風險來源部署 marker 為 16756d24；該次 CD smoke 與 API health 通過，但 `AWOOOI_ROLLOUT_RISK=1` 仍存在，因 ArgoCD health 為 Degraded 且部分資源 OutOfSync。此卡只顯示風險，不修復、不同步、不重啟、不開執行期。",
+      "title": "正式讀回已綠，但 CD rollout timeout 不能假裝全綠",
+      "subtitle": "風險來源部署 marker 為 52e942e19；CD #3601 已將 ArgoCD 同步到該 revision，但 build-and-deploy 在 rollout 等待時 timeout，當下 health 仍為 Progressing，post-deploy checks 被略過。production API 與桌機 / 手機 smoke 已綠；此卡只顯示 no-false-green 風險，不修復、不同步、不重啟、不開執行期。",
       "signalLabel": "訊號",
       "stateLabel": "狀態",
       "boundaryTitle": "部署風險邊界",
@@ -20294,7 +20294,7 @@
       "summary": {
         "sourceDeployMarker": {
           "label": "風險來源",
-          "detail": "產生此風險證據的部署 marker，不等於目前最新部署。"
+          "detail": "目前正式讀回的 deploy marker，同時也是 rollout timeout 的證據來源。"
         },
         "rolloutRisk": {
           "label": "風險訊號",
@@ -20307,16 +20307,16 @@
       },
       "items": {
         "argocdHealth": {
-          "title": "ArgoCD health 降級",
-          "body": "CD log 顯示 health=Degraded；這是只讀風險證據，需要另行盤點來源，不能被 smoke 成功覆蓋。"
+          "title": "ArgoCD health 仍在轉換",
+          "body": "CD log 顯示 ArgoCD 已 Synced 到 52e942e1，但 health 仍為 Progressing；這是只讀風險證據，不能被 route 200 或 smoke 成功覆蓋。"
         },
         "resourceSync": {
-          "title": "部分資源同步外",
-          "body": "CD log 顯示部分資源 OutOfSync；目前只標示風險，不執行 ArgoCD sync、kubectl 或 host 操作。"
+          "title": "GitOps revision 已同步",
+          "body": "CD log 顯示 GitOps revision 已同步，但 rollout 等待超時；目前只標示風險，不執行 ArgoCD sync、kubectl 或 host 操作。"
         },
         "smokePassed": {
-          "title": "API 與煙霧測試通過",
-          "body": "API health 與 Playwright smoke 通過代表服務可讀，不代表 GitOps 狀態已全綠。"
+          "title": "正式 API 與頁面讀回通過",
+          "body": "API health、owner evidence intake API、IwoooS 桌機與手機 smoke 通過代表服務可讀，不代表 CD workflow 或 GitOps rollout 已全綠。"
         },
         "riskBoundary": {
           "title": "執行期閘門仍為 0",
diff --git a/apps/web/messages/zh-TW.json b/apps/web/messages/zh-TW.json
index 8b8e89fa..becb1679 100644
--- a/apps/web/messages/zh-TW.json
+++ b/apps/web/messages/zh-TW.json
@@ -20285,8 +20285,8 @@
     },
     "rolloutRiskReadOnly": {
       "eyebrow": "部署風險只讀卡",
-      "title": "CD 已完成，但 ArgoCD 風險仍不能假裝全綠",
-      "subtitle": "風險來源部署 marker 為 16756d24；該次 CD smoke 與 API health 通過，但 `AWOOOI_ROLLOUT_RISK=1` 仍存在，因 ArgoCD health 為 Degraded 且部分資源 OutOfSync。此卡只顯示風險，不修復、不同步、不重啟、不開執行期。",
+      "title": "正式讀回已綠，但 CD rollout timeout 不能假裝全綠",
+      "subtitle": "風險來源部署 marker 為 52e942e19；CD #3601 已將 ArgoCD 同步到該 revision，但 build-and-deploy 在 rollout 等待時 timeout，當下 health 仍為 Progressing，post-deploy checks 被略過。production API 與桌機 / 手機 smoke 已綠；此卡只顯示 no-false-green 風險，不修復、不同步、不重啟、不開執行期。",
       "signalLabel": "訊號",
       "stateLabel": "狀態",
       "boundaryTitle": "部署風險邊界",
@@ -20294,7 +20294,7 @@
       "summary": {
         "sourceDeployMarker": {
           "label": "風險來源",
-          "detail": "產生此風險證據的部署 marker，不等於目前最新部署。"
+          "detail": "目前正式讀回的 deploy marker，同時也是 rollout timeout 的證據來源。"
         },
         "rolloutRisk": {
           "label": "風險訊號",
@@ -20307,16 +20307,16 @@
       },
       "items": {
         "argocdHealth": {
-          "title": "ArgoCD health 降級",
-          "body": "CD log 顯示 health=Degraded；這是只讀風險證據，需要另行盤點來源，不能被 smoke 成功覆蓋。"
+          "title": "ArgoCD health 仍在轉換",
+          "body": "CD log 顯示 ArgoCD 已 Synced 到 52e942e1，但 health 仍為 Progressing；這是只讀風險證據，不能被 route 200 或 smoke 成功覆蓋。"
         },
         "resourceSync": {
-          "title": "部分資源同步外",
-          "body": "CD log 顯示部分資源 OutOfSync；目前只標示風險，不執行 ArgoCD sync、kubectl 或 host 操作。"
+          "title": "GitOps revision 已同步",
+          "body": "CD log 顯示 GitOps revision 已同步，但 rollout 等待超時；目前只標示風險，不執行 ArgoCD sync、kubectl 或 host 操作。"
         },
         "smokePassed": {
-          "title": "API 與煙霧測試通過",
-          "body": "API health 與 Playwright smoke 通過代表服務可讀，不代表 GitOps 狀態已全綠。"
+          "title": "正式 API 與頁面讀回通過",
+          "body": "API health、owner evidence intake API、IwoooS 桌機與手機 smoke 通過代表服務可讀，不代表 CD workflow 或 GitOps rollout 已全綠。"
         },
         "riskBoundary": {
           "title": "執行期閘門仍為 0",
diff --git a/apps/web/src/app/[locale]/iwooos/page.tsx b/apps/web/src/app/[locale]/iwooos/page.tsx
index b96b16bd..9b413489 100644
--- a/apps/web/src/app/[locale]/iwooos/page.tsx
+++ b/apps/web/src/app/[locale]/iwooos/page.tsx
@@ -2202,24 +2202,27 @@ const agentBountySecurityOnboardingBoundaries = [
 ] as const
 
 const rolloutRiskReadOnlySummary = [
-  { key: 'sourceDeployMarker', value: '16756d24', icon: GitBranch, tone: 'warn' },
+  { key: 'sourceDeployMarker', value: '52e942e19', icon: GitBranch, tone: 'warn' },
   { key: 'rolloutRisk', value: '1', icon: AlertTriangle, tone: 'warn' },
   { key: 'runtimeGate', value: '0', icon: Lock, tone: 'locked' },
 ] as const
 
 const rolloutRiskReadOnlyItems: RolloutRiskReadOnlyItem[] = [
-  { key: 'argocdHealth', signal: 'RR1', state: 'Degraded', icon: Cloud, tone: 'warn' },
-  { key: 'resourceSync', signal: 'RR2', state: 'OutOfSync', icon: Workflow, tone: 'warn' },
-  { key: 'smokePassed', signal: 'RR3', state: '通過', icon: CheckCircle2, tone: 'steady' },
+  { key: 'argocdHealth', signal: 'RR1', state: 'Progressing', icon: Cloud, tone: 'warn' },
+  { key: 'resourceSync', signal: 'RR2', state: 'Synced', icon: Workflow, tone: 'warn' },
+  { key: 'smokePassed', signal: 'RR3', state: '讀回綠', icon: CheckCircle2, tone: 'steady' },
   { key: 'riskBoundary', signal: 'RR4', state: '不開閘', icon: Lock, tone: 'locked' },
 ]
 
 const rolloutRiskReadOnlyBoundaries = [
   'rollout_risk_read_only_card_count=4',
-  'rollout_risk_source_deploy_marker=16756d24',
+  'rollout_risk_source_deploy_marker=52e942e19',
+  'rollout_risk_source_cd_run=3601',
   'rollout_risk_awoooi_rollout_risk=1',
-  'rollout_risk_argocd_health=Degraded',
-  'rollout_risk_resource_sync=OutOfSync',
+  'rollout_risk_argocd_health=Progressing',
+  'rollout_risk_resource_sync=Synced',
+  'rollout_risk_failure_step=Deploy_to_K8s_ArgoCD_GitOps',
+  'rollout_risk_post_deploy_checks=skipped',
   'rollout_risk_api_health_passed=true',
   'rollout_risk_playwright_smoke_passed=true',
   'rollout_risk_requires_read_only_triage=true',
diff --git a/scripts/security/security-mirror-progress-guard.py b/scripts/security/security-mirror-progress-guard.py
index 649e4fed..167214c2 100755
--- a/scripts/security/security-mirror-progress-guard.py
+++ b/scripts/security/security-mirror-progress-guard.py
@@ -18434,10 +18434,13 @@ def validate(root: Path) -> None:
     )
     for text in [
         "rollout_risk_read_only_card_count=4",
-        "rollout_risk_source_deploy_marker=16756d24",
+        "rollout_risk_source_deploy_marker=52e942e19",
+        "rollout_risk_source_cd_run=3601",
         "rollout_risk_awoooi_rollout_risk=1",
-        "rollout_risk_argocd_health=Degraded",
-        "rollout_risk_resource_sync=OutOfSync",
+        "rollout_risk_argocd_health=Progressing",
+        "rollout_risk_resource_sync=Synced",
+        "rollout_risk_failure_step=Deploy_to_K8s_ArgoCD_GitOps",
+        "rollout_risk_post_deploy_checks=skipped",
         "rollout_risk_api_health_passed=true",
         "rollout_risk_playwright_smoke_passed=true",
         "rollout_risk_requires_read_only_triage=true",