docs: refresh rc1 evidence after security recheck

docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md

@@ -2,8 +2,8 @@
 
 This dashboard is generated by `npm run operator:dashboard`. It is an operator snapshot, not release approval.
 
-Generated: 2026-05-17T21:56:22.061Z
+Generated: 2026-05-17T21:57:47.582Z
-Commit: 36d390aa7d733d458963a203b91998d3aec477b2
+Commit: e6c16b40b80b3b323586c9e8341faa87c01a728c
 Status: work remaining
 
 ## Current Status
@@ -13,8 +13,8 @@ Status: work remaining
 | PR queue | Current | 0 open PRs across tracked repos |
 | Issue queue | Current | 0 open issues across tracked repos |
 | Discussions | Current | 0 need maintainer touch; 0 missing accepted answer |
-| Local worktree | Needs work | 1 blocking dirty files; 1 ignored dirty entries |
+| Local worktree | Current | 0 blocking dirty files; 1 ignored dirty entries |
-| Dashboard generation | Needs work | platform audit ready: false; GitHub skipped: false |
+| Dashboard generation | Current | platform audit ready: true; GitHub skipped: false |
 | Publication | Not complete | release, npm, plugin, billing, and announcement gates are tracked below |
 
 ## Prompt-To-Artifact Checklist
@@ -34,7 +34,7 @@ Status: work remaining
 | Audit, prune, or attach legacy work | docs/stale-pr-salvage-ledger.md and legacy inventory | current | legacy salvage ledger and inventory are current; all localization tails are attached to Linear ITO-55 for manual language-owner review | repeat legacy scan before release |
 | Keep Linear roadmap detailed and progress tracking synchronized | Linear project mirror plus progress-sync contract | current | Linear live sync and project progress snapshot are current; progress-sync contract defines the file-backed work-items/status path | repeat Linear/project status update and local work-items sync after each significant merge batch |
 | Provide ECC 2.0 observability for self-use | observability readiness gate | complete | observability:ready command and readiness doc exist | runtime/dashboard implementation can continue after release gates |
-| Keep Mini Shai-Hulud/TanStack protection loop current | supply-chain watch plus runbook plus AgentShield package-manager hardening | current | scheduled supply-chain watch emits IOC/advisory-source refresh artifacts; AgentShield now detects known AI-tool persistence IOCs, npm lifecycle/token drift, unsupported npm age-key drift, and pnpm/Yarn cooldown drift; ITO-57 has May 17 Linear evidence updates | repeat advisory/source refresh and Linear sync after each significant supply-chain batch |
+| Keep Mini Shai-Hulud/TanStack protection loop current | supply-chain watch plus runbook plus AgentShield package-manager hardening | current | scheduled supply-chain watch emits IOC/advisory-source refresh artifacts; ECC scanner covers gh-token-monitor token-store persistence; AgentShield now detects known AI-tool persistence IOCs, npm lifecycle/token drift, unsupported npm age-key drift, and pnpm/Yarn cooldown drift; ITO-57 has May 17 Linear evidence updates | repeat advisory/source refresh and Linear sync after each significant supply-chain batch |
 
 ## Top Actions
 

docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md

@@ -7,10 +7,10 @@ npm publication, plugin tag, marketplace submission, or announcement post.
 
 | Field | Evidence |
 | --- | --- |
-| Upstream main | `27dc2918a24a50b8dd5e23dba2aa6a05bd17c0d7` |
+| Upstream main | `e6c16b40b80b3b323586c9e8341faa87c01a728c` |
 | Git remote | `https://github.com/affaan-m/everything-claude-code.git` |
-| Evidence scope | Current `main` after the Japanese localization and Dependabot merge batch, post-merge ja-JP markdown anchor repair, Zed install-target support, Mini Shai-Hulud/TanStack protection recheck, AgentShield policy-promotion Action output mirror, ECC-Tools hosted promotion judge audit-trace mirror, ECC-Tools billing announcement preflight mirror, ECC-Tools production Marketplace readback-state mirror, legacy-tail dashboard routing, Linear progress readiness, and the deterministic preview-pack smoke gate |
+| Evidence scope | Current `main` after the Japanese and Thai localization merge batch, post-merge ja-JP markdown anchor repair, Zed install-target support, Mini Shai-Hulud/TanStack protection recheck, `gh-token-monitor` token-store IOC coverage, AgentShield policy-promotion Action output mirror, ECC-Tools hosted promotion judge audit-trace mirror, ECC-Tools billing announcement preflight mirror, ECC-Tools production Marketplace readback-state mirror, legacy-tail dashboard routing, Linear progress readiness, and the deterministic preview-pack smoke gate |
-| Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/` |
+| Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/`; generated evidence files are committed after the source snapshot they describe |
 
 The actual release operator should repeat all publish-facing checks from the
 final release commit with a strictly clean checkout before publishing.
@@ -22,7 +22,7 @@ final release commit with a strictly clean checkout before publishing.
 | Trunk PRs | `gh pr list --state open --limit 50 --json number,title` | 0 open PRs |
 | Trunk issues | `gh issue list --state open --limit 50 --json number,title` | 0 open issues |
 | Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files |
-| Operator dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Generated current dashboard for `27dc2918a24a50b8dd5e23dba2aa6a05bd17c0d7`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated |
+| Operator dashboard | `npm run operator:dashboard -- --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Generated current dashboard for `e6c16b40b80b3b323586c9e8341faa87c01a728c`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated |
 
 Tracked repositories in the platform audit were:
 
@@ -47,6 +47,8 @@ Tracked repositories in the platform audit were:
 | Zed adapter commit | Pushed `2371a3cf0543365c1c18e84eba786b1abcb28941` to add project-local Zed support through the selective install target, README Zed guidance, and `.zed/settings.json` planning coverage |
 | Zed Windows CI fix | Pushed `744f4169972fd81618c3114ea1ca5ffb85ef4c82` to normalize the Zed install-plan source-path assertion across Windows path separators |
 | Discussion #1896 | Added a maintainer update confirming Zed support on `main`, documenting the dry-run command, and clarifying that BYOK/OpenRouter secrets stay in Zed/local user settings rather than ECC-managed project files |
+| PR #1967 | Merged Thai localization as `6b282aaa4389e9411e86bfe09d8f4de8018dcf8e` after applying the two maintainer cleanup comments, validating markdownlint and language-switcher coverage, and approving after CodeRabbit, GitGuardian, Greptile, and cubic passed on current head |
+| Supply-chain token-store scanner slice | Pushed `36d390aa7d733d458963a203b91998d3aec477b2` to detect the Mini Shai-Hulud `~/.config/gh-token-monitor/token` dead-man-switch token store, update the incident-response runbook, and add fixture coverage; local sweeps stayed clean and GitHub Actions `26003629550` passed |
 | Legacy-tail dashboard slice | Pushed `f397216aee5a0ca7d168726d3cc41eb47f728b37` and dashboard regeneration commits to keep localization-tail evidence attached to ITO-55 and prevent stale legacy work from being treated as release-current |
 | Linear progress readiness slice | Pushed `355c4f128183aa7f7ce9da9485af07d257d67f69` and dashboard regeneration commit `1a384dc5dbd24a3be725e1b26c169bddb6c850b6` to require refreshed Linear progress evidence after significant merge batches |
 | Preview-pack smoke slice | Pushed `3215e655eff70b9fea5382ce5996666a1f48d1af` to add `npm run preview-pack:smoke`, covering preview-pack artifacts, Hermes import boundaries, verification commands, and approval-gated publication blockers; lint and dashboard follow-up commits landed through `27dc2918a24a50b8dd5e23dba2aa6a05bd17c0d7` |
@@ -68,9 +70,9 @@ Tracked repositories in the platform audit were:
 | Harness audit | `node scripts/harness-audit.js --format json` | 70/70, no top actions |
 | Observability readiness | `npm run observability:ready -- --format json` | 21/21, ready yes |
 | Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files |
-| Supply-chain IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home` | Passed; 200 files inspected, including user-level persistence targets |
+| Supply-chain IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --root /Users/affoon/GitHub --home --json`; `node scripts/ci/scan-supply-chain-iocs.js --root /Users/affoon/Documents/GitHub --home --json` | Passed; each workspace sweep inspected 1,879 files with 0 findings, including user-level persistence targets |
 | npm audit | `npm audit --audit-level=high` | 0 vulnerabilities |
-| npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations |
+| npm signatures | `npm audit signatures` across `agentshield`, `everything-claude-code`, `ECC-Tools`, `ECC-website`, and `JARVIS/frontend` | Passed across the primary ECC Node package roots |
 | Preview-pack smoke | `npm run preview-pack:smoke` | Passed; ready yes; digest `dfb1ed014607`; 5 checks passed and 0 failed |
 | AgentShield enterprise CI output slice | AgentShield local `npm run build`, focused action tests, `npm run typecheck`, `npm run lint`, full `npm test`, and `git diff --check`; GitHub Actions `25994354007`, `25994354011`, `25994354026` | Local gates passed; remote CI, Test GitHub Action, and Self-Scan completed successfully for `1124535` |
 | AgentShield policy-promotion Action output slice | AgentShield local `npm run build`, `npx vitest run tests/action-promotion.test.ts tests/action.test.ts`, `npm run typecheck`, `npm run lint`, full `npm test`, and `git diff --check`; GitHub Actions `25995929182`, `25995929190`, `25995929161` | Local gates passed; remote CI, Test GitHub Action, and Self-Scan completed successfully for `1593925` |
@@ -79,9 +81,9 @@ Tracked repositories in the platform audit were:
 | ECC-Tools hosted promotion judge audit trace slice | ECC-Tools local focused vitest checks for hosted model-judge audit traces, `npm run typecheck`, `npm run lint`, full `npm test`, and `git diff --check`; GitHub Actions `25997840703` | Local gates passed; remote CI completed successfully for `05d4e82` |
 | ECC-Tools billing announcement preflight slice | ECC-Tools local focused vitest preflight tests, `npm run typecheck`, `npm run lint`, full `npm test`, and `git diff --check`; GitHub Actions `25998238507` | Local gates passed; remote CI completed successfully for `91a441b` |
 | ECC-Tools production Marketplace readback-state slice | ECC-Tools local `npm test` and `git diff --check`; Cloudflare `wrangler secret list` confirmed `INTERNAL_API_SECRET` exists by name; `wrangler kv key list` for `account-billing:` and `billing-state:` both returned empty lists; GitHub Actions `25998610438` | Local gates passed; remote CI completed successfully for `eb69412`; live announcement remains blocked until Marketplace purchase/webhook records populate KV |
-| GitHub queues | `gh pr list`; `gh issue list`; `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, 0 GitHub fetch errors, and platform audit ready across the tracked repo set |
+| GitHub queues | `gh pr list`; `gh issue list`; `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, 0 GitHub fetch errors, and platform audit ready across the tracked repo set after generated evidence is committed |
-| Operator dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Dashboard generated for `27dc2918a24a50b8dd5e23dba2aa6a05bd17c0d7` with platform ready true, dashboard ready true, and macro publication gates still incomplete |
+| Operator dashboard | `npm run operator:dashboard -- --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Dashboard generated for `e6c16b40b80b3b323586c9e8341faa87c01a728c` with platform ready true, dashboard ready true, and macro publication gates still incomplete |
-| GitHub Actions CI | `gh run watch 26000918211 --repo affaan-m/everything-claude-code --exit-status` | Completed successfully for `27dc2918a24a50b8dd5e23dba2aa6a05bd17c0d7`, including Validate Components, Lint, Security Scan, Coverage, and the full OS/Node/package-manager matrix |
+| GitHub Actions CI | `gh run watch 26003629550 --repo affaan-m/everything-claude-code --exit-status` | Completed successfully for `36d390aa7d733d458963a203b91998d3aec477b2`, including Validate Components, Lint, Security Scan, Coverage, and the full OS/Node/package-manager matrix |
 
 ## Current Publication Blockers