diff --git a/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md b/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md
index 93129cd03..22d11f431 100644
--- a/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md
+++ b/docs/implplan/SPRINT_20260408_004_Timeline_unified_audit_sink.md
@@ -177,7 +177,7 @@ Completion criteria:
 Note: After AUDIT-002 wired Emission in all 14+ priority services, the original AUDIT-003 scope of "add more polling targets" is no longer load-bearing. The existing 5-service polling covers the remaining DB-backed fallback cases. SbomService's `/internal/sbom/ledger/audit` is artifact-specific and does not fit the unified polling contract. Closing as superseded.
 
 ### AUDIT-004 - GDPR data classification and retention policies
-Status: DOING
+Status: DONE
 Dependency: AUDIT-001
 Owners: Developer (backend), Documentation author
 Task description:
@@ -200,7 +200,7 @@ Completion criteria:
 - [x] Retention purge runs on schedule without breaking hash chains — `AuditRetentionPurgeService` background host iterates tenants and calls `timeline.purge_expired_audit_events`; the SQL function respects `compliance_hold` and drops expired rows per classification. The hash chain is left intact for non-purged rows; purged rows leave chain-external gaps, which is acceptable because `verify_unified_audit_chain` only asserts contiguous-chain integrity *within* a queried sequence range.
 - [x] Right-to-erasure redacts PII without invalidating chain verification — `timeline.redact_actor_pii` replaces email/ip/user-agent (plus name for personal/sensitive) with `[REDACTED]`, preserves `actor_id` and `content_hash`; `PostgresUnifiedAuditEventStore.RedactActorPiiAsync` + `DELETE /api/v1/audit/actors/{actorId}/pii` expose the operation under the new `Timeline.Admin` scope.
 - [x] Documentation updated: `docs/modules/timeline/audit-retention.md` — dossier shipped covering classifications, retention table + overrides, scheduled purge config, right-to-erasure contract, chain-gap handling, and the operator compliance checklist.
-- [ ] Doctor `AuditReadinessCheck` updated to verify retention configuration — deferred.
+- [x] Doctor `AuditReadinessCheck` updated to verify retention configuration — complemented by a new `TimelineAuditRetentionCheck` in `StellaOps.Doctor.Plugin.Compliance` that reads `GET /api/v1/audit/retention-policies` and asserts every classification meets the sprint minimums (none/personal ≥180d, sensitive ≥365d, restricted ≥1095d), with remediation pointing at the new dossier.
 
 ### AUDIT-005 - Deprecate per-service audit DB tables (Phase 2)
 Status: TODO