From c032e07b1e326e765b8f16a5e47e042c47ab8f92 Mon Sep 17 00:00:00 2001 From: Affaan Mustafa Date: Mon, 18 May 2026 14:24:50 -0400 Subject: [PATCH] docs: refresh may 18 release evidence --- docs/ECC-2.0-GA-ROADMAP.md | 18 +++++++++------ ...operator-readiness-dashboard-2026-05-18.md | 4 ++-- .../publication-evidence-2026-05-18.md | 19 ++++++++------- .../2.0.0-rc.1/publication-readiness.md | 23 ++++++++++--------- 4 files changed, 36 insertions(+), 28 deletions(-) diff --git a/docs/ECC-2.0-GA-ROADMAP.md b/docs/ECC-2.0-GA-ROADMAP.md index be742b87..6a0d97b7 100644 --- a/docs/ECC-2.0-GA-ROADMAP.md +++ b/docs/ECC-2.0-GA-ROADMAP.md @@ -42,9 +42,9 @@ As of 2026-05-18: and Publication, AgentShield Enterprise Iteration, ECC Tools Next-Level Platform, and Legacy Audit and Salvage. - Linear live sync is current for the May 18 merge and supply-chain batch: - ITO-57 has a new current-head supply-chain protection comment - (`0b9931b9-1556-4ebc-a70c-f3635557625d`), and the ECC platform project has - a new operator progress comment (`e32e5b7a-287b-4bf4-9ed7-314389a157e1`). + ITO-57 has a final emergency supply-chain refresh comment + (`3fe5b2b7-c4fe-401c-a317-b40d72119cb3`), and the ECC platform project has + the latest operator progress comment (`e32e5b7a-287b-4bf4-9ed7-314389a157e1`). Linear project status updates are disabled in this workspace, so the project comment is the supported external status surface. - The latest May 18 merge batch on `main` includes PR #1970 workflow-security @@ -52,15 +52,17 @@ As of 2026-05-18: de-dup fixes, PR #1972 `uncloud` skill activation structure, PR #1976 OpenAI/AstraFlow provider response guards, ECC-Tools Wrangler OAuth billing readback mirror evidence, the `04d4d819` defensive-deny IOC scanner hardening - recheck, and release evidence with a refreshed operator dashboard. + recheck, `7911af4a` release OIDC publishing-scope hardening, `97567a91` + release workflow line-ending normalization, and release evidence with a + refreshed operator dashboard. - `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` records the May 18 queue-zero state, current-head TanStack/Mini Shai-Hulud protection recheck, no-lifecycle npm install, npm audit/signature checks, AgentShield project `.claude` scan, Linear sync, work-items sync, operator dashboard refresh, PR #1976 provider-guard validation, ECC-Tools Wrangler OAuth billing readback evidence, defensive-deny IOC scanner coverage, and current-head CI - success for `04d4d819`; a detached clean-worktree preview-pack smoke from - `742bc58d` passed 5/5 with digest `59bbf2630a44`. + success for `97567a91`; a detached clean-worktree preview-pack smoke from + `680aeff0` passed 5/5 with digest `0ed831dbd0cf`. - `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` regenerates the ITO-44 prompt-to-artifact dashboard from live platform audit evidence: PR queue, issue queue, discussion queue, local worktree gate, @@ -976,7 +978,9 @@ Acceptance: remaining action count, and digest in hosted security comments/check-runs. AgentShield commit `840952a` adds Linear/operator-ready fleet review ticket payloads and expands current Mini Shai-Hulud IOC breadcrumbs, with green - local and remote CI. + local and remote CI. AgentShield commit `4e36aab` hardens CI package installs + after the expanded Mini Shai-Hulud refresh, with CI, Test GitHub Action, + Self-Scan, and Dependabot Update workflows green. ECC-Tools commit `05d4e82` adds hosted promotion judge audit traces with deterministic request fingerprints and allowed-citation counts, without exposing raw provider output. diff --git a/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md b/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md index e9cffa36..e1399344 100644 --- a/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md +++ b/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md @@ -2,8 +2,8 @@ This dashboard is generated by `npm run operator:dashboard`. It is an operator snapshot, not release approval. -Generated: 2026-05-18T14:28:49.379Z -Commit: 1571494573f8348d6520b7b58f00885ce9d75834 +Generated: 2026-05-18T18:21:18.798Z +Commit: 97567a91e79e1ee4c291eb78f5f9c30c2046ac94 Status: work remaining ## Current Status diff --git a/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md index 62331ea2..28f0a2be 100644 --- a/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md +++ b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md @@ -7,9 +7,9 @@ npm publication, plugin tag, marketplace submission, or announcement post. | Field | Evidence | | --- | --- | -| Upstream main | `1571494573f8348d6520b7b58f00885ce9d75834` | +| Upstream main | `97567a91e79e1ee4c291eb78f5f9c30c2046ac94` | | Git remote | `https://github.com/affaan-m/everything-claude-code.git` | -| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, PR #1978 review/closure, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, AgentShield `840952a` fleet-ticket and Mini Shai-Hulud IOC evidence mirror, Mini Shai-Hulud/TanStack protection recheck, defensive-deny IOC scanner hardening, release name/plugin publication checklist, readiness/smoke gate enforcement for that checklist, current-head CI/security scan, work-items sync, and Linear progress sync | +| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, PR #1978 review/closure, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, AgentShield `840952a` fleet-ticket and Mini Shai-Hulud IOC evidence mirror, Mini Shai-Hulud/TanStack protection recheck, defensive-deny IOC scanner hardening, release name/plugin publication checklist, readiness/smoke gate enforcement for that checklist, release OIDC publishing-scope hardening, workflow line-ending normalization, current-head CI/security scan, work-items sync, and Linear progress sync | | Local status caveat | `git status --short --branch` was clean at dashboard generation time; generated evidence files are committed after the source snapshot they describe | The actual release operator should repeat all publish-facing checks from the @@ -24,7 +24,7 @@ final release commit with a strictly clean checkout before publishing. | Discussion audit | `npm run discussion:audit -- --json` | Ready; 58 sampled discussions in `affaan-m/everything-claude-code`, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors | | Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files | | Work-items sync | `node scripts/work-items.js sync-github --repo ` for five tracked repos; `node scripts/status.js --json`; `node scripts/work-items.js list --json` | All five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items | -| Operator dashboard | `npm run operator:dashboard -- --markdown --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `1571494573f8348d6520b7b58f00885ce9d75834`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated; AgentShield enterprise evidence now includes `840952a`; ECC Tools target-account billing readback remains the documented native-payments gate; the naming/plugin row still requires the release-name/plugin publication checklist | +| Operator dashboard | `npm run operator:dashboard -- --markdown --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `97567a91e79e1ee4c291eb78f5f9c30c2046ac94`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated; AgentShield enterprise evidence now includes `840952a`; ECC Tools target-account billing readback remains the documented native-payments gate; the naming/plugin row still requires the release-name/plugin publication checklist | Tracked repositories in the platform audit and work-items sync were: @@ -54,6 +54,8 @@ Tracked repositories in the platform audit and work-items sync were: | Announcement draft tracking | Added `docs/drafts/release-1.10.1-announcement.md` so the stabilization announcement draft is tracked instead of remaining as release-blocking untracked local state | | Clean-worktree preview-pack smoke | Detached worktree at `680aeff0fb9a8598858e3105ba4742973ef386ab`; `node scripts/preview-pack-smoke.js --root --format json` passed 5/5 with digest `0ed831dbd0cf`; 26 required artifacts, final verification commands, Hermes public sanitization boundary, and approval-gated publication blockers were all preserved | | Public queues | Rechecked after the merge and issue-closure batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos | +| Release OIDC publishing scope | Pushed `7911af4a` to keep the release workflow's trusted-publishing path scoped to release publication instead of broadening OIDC permissions across unrelated jobs; local workflow security validation passed | +| Release workflow normalization | Pushed `97567a91` to normalize release workflow line endings after the OIDC hardening slice; current-head CI `26050727969` passed for `97567a91e79e1ee4c291eb78f5f9c30c2046ac94` | ## Supply-Chain And Security Evidence @@ -61,22 +63,23 @@ Tracked repositories in the platform audit and work-items sync were: | --- | --- | --- | | Repo IOC scan | `npm run security:ioc-scan` | Passed; 198 files inspected | | Home persistence IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home --json` | Passed; 200 files inspected; `findings: []` | +| ECC workspace IOC recheck | `node scripts/ci/scan-supply-chain-iocs.js --root --home --json` | Passed; 1212 files inspected; `findings: []`; exact local path is kept out of public release evidence | | Narrow active persistence sweep | Targeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, `/tmp`, and `/private/tmp` campaign paths | Existing active targets: 2; no campaign marker hits | | Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 20 passed, 0 failed, including defensive Claude deny-wall pass and hook-with-same-IOC fail-closed coverage | | Advisory source refresh | `node scripts/ci/supply-chain-advisory-sources.js --refresh --json` | Ready with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK | | No-lifecycle install | `npm ci --ignore-scripts` | Completed cleanly; 213 packages installed, 0 vulnerabilities | | npm audit | `npm audit --audit-level=high` | 0 vulnerabilities | | npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations | -| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files | +| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files after the release OIDC publishing-scope hardening | | AgentShield project scan | `npx --no-install ecc-agentshield scan --format json` | Grade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings | -| Current-head CI security scan | `gh run view 26017368895 --repo affaan-m/everything-claude-code --json status,conclusion,jobs,url` | Completed successfully for `04d4d81938b20ac2bac1f0025145ab77d6a59f5f`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan | +| Current-head CI security scan | `gh run view 26050727969 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,jobs,url` | Completed successfully for `97567a91e79e1ee4c291eb78f5f9c30c2046ac94`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan | | Latest Supply-Chain Watch | `gh run view 26010432490 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,url` | Completed successfully for `25ac57ac40e9fc5a0606e76e6339e72c79748c99`; rerun from the final release commit before publication | ## Linear Progress Sync | Surface | Evidence | | --- | --- | -| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit | +| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit; comment `3fe5b2b7-c4fe-401c-a317-b40d72119cb3` records the final emergency refresh against `97567a91`, AgentShield `4e36aab`, clean ECC/Ito/Documents workspace IOC scans, absent dead-man/persistence artifacts, and package-manager/Claude deny-wall posture | | ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, #1976, and remaining-gate state at the project level | | Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface | @@ -114,8 +117,8 @@ Tracked repositories in the platform audit and work-items sync were: The tracked public PR queue, issue queue, discussion queue, local work-items bridge, release-name/plugin publication gate, and Mini Shai-Hulud/TanStack protection loop are current on May 18, 2026 for current `main` through -`15714945`, with follow-up ECC Tools billing-gate hardening in `632e059` -and AgentShield enterprise hardening in `840952a`. +`97567a91`, with follow-up ECC Tools billing-gate hardening in `632e059` +and AgentShield enterprise/security hardening through `4e36aab`. This improves publication readiness but does not replace the approval-gated release, package, plugin, billing, and announcement steps in `publication-readiness.md`. diff --git a/docs/releases/2.0.0-rc.1/publication-readiness.md b/docs/releases/2.0.0-rc.1/publication-readiness.md index 664147ae..ba4b66b3 100644 --- a/docs/releases/2.0.0-rc.1/publication-readiness.md +++ b/docs/releases/2.0.0-rc.1/publication-readiness.md @@ -42,8 +42,9 @@ For the May 18 current-head queue, workflow-security/metrics/uncloud merge batch, PR #1978 review/closure, Mini Shai-Hulud/TanStack local and home protection recheck, npm no-lifecycle install/audit/signature gates, AgentShield project scan, AgentShield `840952a` enterprise/IOC evidence mirror, -work-items sync, Linear progress comments, operator dashboard refresh, and -current-head CI/security scan success for `99e01ded`, see +release OIDC publishing-scope hardening, workflow normalization, work-items sync, +Linear progress comments, operator dashboard refresh, and current-head +CI/security scan success for `97567a91`, see [`publication-evidence-2026-05-18.md`](publication-evidence-2026-05-18.md). For the operator-facing prompt-to-artifact readiness dashboard from the same May 16 pass, see @@ -92,22 +93,22 @@ Record the exact commit SHA and command output before any publication action: | Evidence | Command | Required result | Recorded output | | --- | --- | --- | --- | -| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | `99e01ded`: `## main...origin/main`; repeat from the exact final publication commit before release | +| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | `97567a91`: `## main...origin/main`; repeat from the exact final publication commit before release | | Preview-pack smoke | `npm run preview-pack:smoke` | Preview pack artifacts, Hermes boundary, final verification command list, and publication blockers pass | `publication-evidence-2026-05-18.md`: ready yes, digest `0ed831dbd0cf`, 5 passed, 0 failed; repeat in the final strict clean-checkout release pass | | Harness audit | `npm run harness:audit -- --format json` | 70/70 passing | `99e01ded`: 70/70, 0 top actions | | Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `99e01ded`: PASS, 11 adapters | | Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-18.md`: 21/21, ready yes | | Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | May 18 evidence keeps release safety passing; repeat the JSON gate from the exact final release commit | -| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md` plus CI `26040120071`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, supply-chain IOC scan passed | -| Root suite | `node tests/run-all.js` | 0 failures | `99e01ded`: local `node tests/run-all.js` passed 2512/2512; CI `26040120071` passed the full OS/runtime/package-manager matrix | -| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | CI `26040120071`: markdownlint passed on current head; rerun after any release-copy edits | +| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md` plus CI `26050727969`: npm registry signatures and attestations verified in the evidence pass, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, supply-chain IOC scan passed | +| Root suite | `node tests/run-all.js` | 0 failures | `99e01ded`: local `node tests/run-all.js` passed 2512/2512; current-head CI `26050727969` passed the full OS/runtime/package-manager matrix for `97567a91` | +| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | CI `26050727969`: markdownlint passed on current head; rerun after any release-copy edits | | Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures; no Python bytecode in npm tarball | `2/2` passed in May 12 evidence pass | -| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | `99e01ded`: 21/21 passed | +| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | `97567a91` evidence refresh: 21/21 passed after public-path sanitization | | Optional Rust surface | `cd ecc2 && cargo test` | 0 failures or explicit deferral | `publication-evidence-2026-05-16.md`: 462/462 passed, existing warnings only | -| Queue baseline | `node scripts/platform-audit.js --json` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `99e01ded`: platform audit ready, 0 open PRs, 0 open issues, 0 conflicting PRs, and 0 blocking dirty files | -| Discussion baseline | `node scripts/platform-audit.js --json` and `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `99e01ded`: platform audit sampled 58 trunk discussions, 0 needing maintainer touch, 0 answerable discussions missing accepted answer | -| Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | May 18 Linear comments include ITO-57 `f1c896d9-dd27-4ba2-b5a8-60afe5125c22`; earlier evidence records the project and 16 issue lanes | -| Operator readiness dashboard | `npm run operator:dashboard -- --json` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `99e01ded`: generated May 18 dashboard is committed, platform audit ready true, 0 open PRs, 0 open issues, 0 discussion gaps, and publication gates still approval-gated | +| Queue baseline | `node scripts/platform-audit.js --json` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `97567a91`: platform audit ready, 0 open PRs, 0 open issues, 0 conflicting PRs, and 0 blocking dirty files | +| Discussion baseline | `node scripts/platform-audit.js --json` and `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `97567a91`: platform audit sampled 58 trunk discussions, 0 needing maintainer touch, 0 answerable discussions missing accepted answer | +| Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | May 18 Linear comments include ITO-57 `3fe5b2b7-c4fe-401c-a317-b40d72119cb3`; earlier evidence records the project and 16 issue lanes | +| Operator readiness dashboard | `npm run operator:dashboard -- --json` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `97567a91`: generated May 18 dashboard is committed, platform audit ready true, 0 open PRs, 0 open issues, 0 discussion gaps, and publication gates still approval-gated | | Release URL ledger | `docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-18.md` plus placeholder-marker scan | Live links and approval-gated links are separated before announcement copy is posted | Ledger records public repo/docs/CI/supply-chain/npm/OpenAI Codex documentation URLs and blocks GitHub release/npm/plugin/billing/social URLs until approval-gated checks pass | | Release name and plugin publication checklist | `docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md` | Name/package/plugin values are frozen, final-release commands are listed, and Claude/Codex publication paths cite current official docs | Checklist keeps `Everything Claude Code / ECC`, `ecc-universal`, and plugin slug `ecc` for rc.1; no rename, npm publish, plugin tag, official listing, billing claim, or announcement before final evidence |