zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-18 23:03:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: refresh release evidence after ioc scanner hardening

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-18 02:45:30 -04:00
parent 04d4d81938
commit 742bc58d97
3 changed files with 18 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md
View File

@@ -2,8 +2,8 @@
This dashboard is generated by `npm run operator:dashboard`. It is an operator snapshot, not release approval.
Generated: 2026-05-18T06:03:52.991Z
Commit: e53933de1bc62b748f6ecb2df9a64d4290742625
Generated: 2026-05-18T06:43:34.996Z
Commit: 04d4d81938b20ac2bac1f0025145ab77d6a59f5f
Status: work remaining
## Current Status

15
docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md
View File

@@ -7,9 +7,9 @@ npm publication, plugin tag, marketplace submission, or announcement post.
| Field | Evidence |
| --- | --- |
| Upstream main | `f010f7833212794da7ba74c0f88d8e05723efe1f` |
| Upstream main | `04d4d81938b20ac2bac1f0025145ab77d6a59f5f` |
| Git remote | `https://github.com/affaan-m/everything-claude-code.git` |
| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, Mini Shai-Hulud/TanStack protection recheck, current-head CI/security scan, work-items sync, and Linear progress sync |
| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, Mini Shai-Hulud/TanStack protection recheck, defensive-deny IOC scanner hardening, current-head CI/security scan, work-items sync, and Linear progress sync |
| Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/`; generated evidence files are committed after the source snapshot they describe |
The actual release operator should repeat all publish-facing checks from the
@@ -24,7 +24,7 @@ final release commit with a strictly clean checkout before publishing.
| Discussion audit | `npm run discussion:audit -- --json` | Ready; 58 sampled discussions in `affaan-m/everything-claude-code`, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors |
| Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files |
| Work-items sync | `node scripts/work-items.js sync-github --repo <tracked-repo>` for five tracked repos; `node scripts/status.js --json`; `node scripts/work-items.js list --json` | All five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items |
| Operator dashboard | `node scripts/operator-readiness-dashboard.js --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `e53933de1bc62b748f6ecb2df9a64d4290742625`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated |
| Operator dashboard | `node scripts/operator-readiness-dashboard.js --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `04d4d81938b20ac2bac1f0025145ab77d6a59f5f`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated |
Tracked repositories in the platform audit and work-items sync were:
@@ -46,6 +46,7 @@ Tracked repositories in the platform audit and work-items sync were:
| Catalog/operator refresh | Pushed `81fca2ce` to refresh generated catalog count, URL ledger, and operator dashboard state after #1973/#1974 |
| PR #1976 | Merged provider response hardening for OpenAI-compatible and AstraFlow providers; main includes `eb0d8939` follow-up guards for empty/filtered provider choices, missing OpenAI `response.usage`, shared filtered-response error text, and credential-less provider construction validation |
| Provider guard validation | `uv run --extra dev pytest -q tests/test_provider_tools.py tests/test_astraflow_provider.py`, `uv run --extra dev pytest -q`, `node tests/run-all.js`, and `git diff --check` passed before merging #1976 follow-up into main: 11 provider-focused Python tests, 76 full Python tests, 2509 Node tests, and clean whitespace checks |
| Defensive-deny IOC scanner hardening | Pushed `04d4d819` so explicit Claude `permissions.deny` IOC entries are treated as defensive controls while the same IOC still fails in hooks, tasks, scripts, locks, and payload files; local `npm test` passed 2511/2511 and current-head CI `26017368895` passed 37/37 |
| Public queues | Rechecked after the merge and issue-closure batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos |
## Supply-Chain And Security Evidence
@@ -55,21 +56,21 @@ Tracked repositories in the platform audit and work-items sync were:
| Repo IOC scan | `npm run security:ioc-scan` | Passed; 198 files inspected |
| Home persistence IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home --json` | Passed; 200 files inspected; `findings: []` |
| Narrow active persistence sweep | Targeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, `/tmp`, and `/private/tmp` campaign paths | Existing active targets: 2; no campaign marker hits |
| Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 18 passed, 0 failed |
| Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 20 passed, 0 failed, including defensive Claude deny-wall pass and hook-with-same-IOC fail-closed coverage |
| Advisory source refresh | `node scripts/ci/supply-chain-advisory-sources.js --refresh --json` | Ready with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK |
| No-lifecycle install | `npm ci --ignore-scripts` | Completed cleanly; 213 packages installed, 0 vulnerabilities |
| npm audit | `npm audit --audit-level=high` | 0 vulnerabilities |
| npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations |
| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files |
| AgentShield project scan | `npx --no-install ecc-agentshield scan --format json` | Grade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings |
| Current-head CI security scan | `gh run view 26016495976 --repo affaan-m/everything-claude-code --json status,conclusion,jobs,url` | Completed successfully for `f010f7833212794da7ba74c0f88d8e05723efe1f`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan |
| Current-head CI security scan | `gh run view 26017368895 --repo affaan-m/everything-claude-code --json status,conclusion,jobs,url` | Completed successfully for `04d4d81938b20ac2bac1f0025145ab77d6a59f5f`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan |
| Latest Supply-Chain Watch | `gh run view 26010432490 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,url` | Completed successfully for `25ac57ac40e9fc5a0606e76e6339e72c79748c99`; rerun from the final release commit before publication |
## Linear Progress Sync
| Surface | Evidence |
| --- | --- |
| ITO-57 issue comment | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices |
| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit |
| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, #1976, and remaining-gate state at the project level |
| Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface |
@@ -99,6 +100,6 @@ Tracked repositories in the platform audit and work-items sync were:
The tracked public PR queue, issue queue, discussion queue, local work-items
bridge, and Mini Shai-Hulud/TanStack protection loop are current on
May 18, 2026 for `f010f783`. This improves publication readiness but does not
May 18, 2026 for `04d4d819`. This improves publication readiness but does not
replace the approval-gated release, package, plugin, billing, and announcement
steps in `publication-readiness.md`.