docs: refresh release blockers evidence

2026-05-19 07:13:07 +08:00 · 2026-05-18 15:23:48 -04:00
parent 12ac22e674
commit 0f1775e30b
4 changed files with 48 additions and 6 deletions
--- a/docs/ECC-2.0-GA-ROADMAP.md
+++ b/docs/ECC-2.0-GA-ROADMAP.md
@@ -340,6 +340,24 @@ As of 2026-05-18:
  real Marketplace-managed Pro webhook creates target account provenance and
  `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`
  plus the official internal announcement gate pass.
+- ECC-Tools commit `13cd3fc` normalizes billing-state key casing so
+  Marketplace webhook writes and announcement readbacks agree on GitHub login
+  case; current-head CI `26037611421` passed. The code-side readback hardening
+  remains green, but it does not create live Marketplace Pro state.
+- ECC-Tools commit `69ca535` surfaces hosted team-learning feedback controls:
+  harness compatibility and team-backlog routing now show retention days,
+  deletion route/SLA, and opt-out route before adaptive recommendations are
+  routed into team-owned queues. Linear ITO-52 is Done with CI `26054455434`.
+- ECC-Tools commit `e56fc1a` updates the lockfile for
+  `brace-expansion@5.0.6` and fixed Dependabot alert 44 for CVE-2026-45149;
+  GitHub API reported `state: fixed` at `2026-05-18T19:10:15Z` and current-head
+  CI `26054671308` passed.
+- The latest ITO-61 readback retry remains operationally blocked: Wrangler
+  Cloudflare API auth returned `Authentication error [code: 10000]`,
+  1Password CLI authorization timed out, `billing:announcement-gate -- --preflight`
+  is missing the target Marketplace account plus `INTERNAL_API_SECRET`, and
+  native-payments copy remains blocked until the target readback and live
+  announcement gate pass.
 - Handoff `ecc-supply-chain-audit-20260513-0645.md` under
  `~/.cluster-swarm/handoffs/`
  records the May 13 supply-chain sweep: no active lockfile/manifest hit for
--- a/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md
+++ b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md
@@ -79,8 +79,10 @@ Tracked repositories in the platform audit and work-items sync were:

 | Surface | Evidence |
 | --- | --- |
-| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit; comment `3fe5b2b7-c4fe-401c-a317-b40d72119cb3` records the final emergency refresh against `97567a91`, AgentShield `4e36aab`, clean ECC/Ito/Documents workspace IOC scans, absent dead-man/persistence artifacts, and package-manager/Claude deny-wall posture |
-| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, #1976, and remaining-gate state at the project level |
+| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit; comment `3fe5b2b7-c4fe-401c-a317-b40d72119cb3` records the final emergency refresh against `97567a91`, AgentShield `4e36aab`, clean ECC/Ito/Documents workspace IOC scans, absent dead-man/persistence artifacts, and package-manager/Claude deny-wall posture; comment `43837404-c01c-4aaa-b5e2-1e784c136d69` records ECC-Tools `brace-expansion` alert 44 fixed in `e56fc1a` with CI `26054671308` and Dependabot API `state: fixed` |
+| ITO-52 issue status | `f2e5a208-de91-4a3a-960b-5362d12aa5a4` records ECC-Tools `69ca535` team-learning feedback controls, local verification, and CI `26054455434`; Linear ITO-52 is Done |
+| ITO-61 issue status | `8c366592-1c9a-48ad-b9a9-2908a0463fa5` records the latest native-payments readback blocker: Wrangler Cloudflare auth `10000`, 1Password CLI authorization timeout, missing Marketplace target account, and missing `INTERNAL_API_SECRET` |
+| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the earlier current public queue, security, #1976, and remaining-gate state at the project level; follow-up ITO-44 comments `a01eeef3-c69b-48c0-8804-a4682acfc1ef` and `6b0885cc-c4e9-40db-899b-f7b88b4aa046` record ITO-52 completion and the fixed ECC-Tools Dependabot alert |
 | Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface |

 ## Current Publication Blockers
@@ -105,8 +107,12 @@ Tracked repositories in the platform audit and work-items sync were:
  currently fails with Cloudflare authentication error `10000`. ECC-Tools
  commit `632e059` adds the follow-up target-account readback mode, redacts
  the account login and raw KV key names, and requires both target key families
-  before `--require-ready` can pass. Linear ITO-61 now tracks the exact
-  target-account acceptance criteria.
+  before `--require-ready` can pass. ECC-Tools commit `13cd3fc` normalizes
+  billing-state key casing. The latest ITO-61 retry still fails before readback
+  because Wrangler Cloudflare auth returns `10000`, 1Password CLI authorization
+  timed out, and the announcement preflight is missing the target account and
+  `INTERNAL_API_SECRET`; Linear ITO-61 tracks the exact target-account
+  acceptance criteria.
 - Release notes, X, LinkedIn, GitHub release, and longform copy still need final
  live URLs after release/package/plugin URLs exist.
 - The local checkout is clean after the dashboard/evidence refresh, but a
--- a/scripts/operator-readiness-dashboard.js
+++ b/scripts/operator-readiness-dashboard.js
@@ -342,6 +342,12 @@ function agentShieldEnterpriseEvidence(roadmap) {
 }

 function eccToolsNextLevelEvidence(roadmap) {
+  if (roadmap.includes('69ca535')
+    || roadmap.includes('team feedback controls')
+    || roadmap.includes('e56fc1a')) {
+    return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, Wrangler OAuth readback, target-account billing readback, provenance-aware Marketplace billing-state gates, sanitized Marketplace plan/action provenance counts, hosted team-learning feedback controls, and ECC-Tools Dependabot alert remediation are mirrored in the GA roadmap';
+  }
+
  if (roadmap.includes('d5f60db')
    || roadmap.includes('Marketplace-source provenance counts')) {
    return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, Wrangler OAuth readback, target-account billing readback, provenance-aware Marketplace billing-state gates, and sanitized Marketplace plan/action provenance counts are mirrored in the GA roadmap';
@@ -381,6 +387,11 @@ function eccToolsNextLevelEvidence(roadmap) {
 }

 function eccToolsNextLevelGap(roadmap) {
+  if (roadmap.includes('1Password CLI authorization timed out')
+    || roadmap.includes('Cloudflare API auth returned `Authentication error [code: 10000]`')) {
+    return 'authorize Cloudflare API or 1Password CLI access, configure the target Marketplace Pro account and INTERNAL_API_SECRET, create or replay Marketplace Pro webhook state, then rerun target readback and the live announcement gate';
+  }
+
  if (roadmap.includes('d5f60db')
    || roadmap.includes('Marketplace-source provenance counts')) {
    return 'create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate';
@@ -811,7 +822,7 @@ function buildReport(options) {
    next_work_order: [
      'Regenerate this dashboard from the final release commit before publication evidence is recorded.',
      'Repeat ITO-57 Linear/project status sync after the next significant merge batch or advisory-source refresh.',
-      'Create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate before publishing native-payments copy.',
+      'Authorize Cloudflare API or 1Password CLI access, configure the target Marketplace Pro account and INTERNAL_API_SECRET, create or replay Marketplace Pro webhook state, then rerun target readback and the live announcement gate before publishing native-payments copy.',
      'Resume ITO-45, ITO-46, and ITO-56 only after the generated dashboard and final release gates are refreshed.',
    ],
  };
--- a/tests/scripts/operator-readiness-dashboard.test.js
+++ b/tests/scripts/operator-readiness-dashboard.test.js
@@ -70,6 +70,11 @@ function seedRepo(rootDir, overrides = {}) {
      '42653f9',
      'target account billing readback',
      '632e059',
+      '69ca535',
+      'team feedback controls',
+      'e56fc1a',
+      '1Password CLI authorization timed out',
+      'Cloudflare API auth returned `Authentication error [code: 10000]`',
      'announcementGate',
      'ITO-55',
      'Linear live sync is current for the May 17 merge batch',
@@ -278,7 +283,7 @@ function runTests() {
      )));
      assert.ok(report.requirements.some(item => (
        item.id === 'ecc-tools-next-level'
-          && item.gap === 'create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --account <github-login> --require-ready` with working Cloudflare API auth or repaired Wrangler OAuth, followed by the live announcement gate'
+          && item.gap === 'authorize Cloudflare API or 1Password CLI access, configure the target Marketplace Pro account and INTERNAL_API_SECRET, create or replay Marketplace Pro webhook state, then rerun target readback and the live announcement gate'
          && item.evidence.includes('operator-visible promotion output details')
          && item.evidence.includes('hosted promotion judge audit traces')
          && item.evidence.includes('billing announcement preflight')
@@ -286,6 +291,8 @@ function runTests() {
          && item.evidence.includes('Wrangler OAuth readback')
          && item.evidence.includes('target-account billing readback')
          && item.evidence.includes('provenance-aware Marketplace billing-state gates')
+          && item.evidence.includes('hosted team-learning feedback controls')
+          && item.evidence.includes('ECC-Tools Dependabot alert remediation')
      )));
      assert.ok(report.requirements.some(item => (
        item.id === 'naming-and-plugin-publication'