docs: refresh may 18 release evidence

docs/ECC-2.0-GA-ROADMAP.md

@@ -42,9 +42,9 @@ As of 2026-05-18:
   and Publication, AgentShield Enterprise Iteration, ECC Tools Next-Level
   Platform, and Legacy Audit and Salvage.
 - Linear live sync is current for the May 18 merge and supply-chain batch:
-  ITO-57 has a new current-head supply-chain protection comment
+  ITO-57 has a final emergency supply-chain refresh comment
-  (`0b9931b9-1556-4ebc-a70c-f3635557625d`), and the ECC platform project has
+  (`3fe5b2b7-c4fe-401c-a317-b40d72119cb3`), and the ECC platform project has
-  a new operator progress comment (`e32e5b7a-287b-4bf4-9ed7-314389a157e1`).
+  the latest operator progress comment (`e32e5b7a-287b-4bf4-9ed7-314389a157e1`).
   Linear project status updates are disabled in this workspace, so the project
   comment is the supported external status surface.
 - The latest May 18 merge batch on `main` includes PR #1970 workflow-security
@@ -52,15 +52,17 @@ As of 2026-05-18:
   de-dup fixes, PR #1972 `uncloud` skill activation structure, PR #1976
   OpenAI/AstraFlow provider response guards, ECC-Tools Wrangler OAuth billing
   readback mirror evidence, the `04d4d819` defensive-deny IOC scanner hardening
-  recheck, and release evidence with a refreshed operator dashboard.
+  recheck, `7911af4a` release OIDC publishing-scope hardening, `97567a91`
+  release workflow line-ending normalization, and release evidence with a
+  refreshed operator dashboard.
 - `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` records the
   May 18 queue-zero state, current-head TanStack/Mini Shai-Hulud protection
   recheck, no-lifecycle npm install, npm audit/signature checks, AgentShield
   project `.claude` scan, Linear sync, work-items sync, operator dashboard
   refresh, PR #1976 provider-guard validation, ECC-Tools Wrangler OAuth billing
   readback evidence, defensive-deny IOC scanner coverage, and current-head CI
-  success for `04d4d819`; a detached clean-worktree preview-pack smoke from
+  success for `97567a91`; a detached clean-worktree preview-pack smoke from
-  `742bc58d` passed 5/5 with digest `59bbf2630a44`.
+  `680aeff0` passed 5/5 with digest `0ed831dbd0cf`.
 - `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md`
   regenerates the ITO-44 prompt-to-artifact dashboard from live platform audit
   evidence: PR queue, issue queue, discussion queue, local worktree gate,
@@ -976,7 +978,9 @@ Acceptance:
    remaining action count, and digest in hosted security comments/check-runs.
    AgentShield commit `840952a` adds Linear/operator-ready fleet review ticket
    payloads and expands current Mini Shai-Hulud IOC breadcrumbs, with green
-   local and remote CI.
+   local and remote CI. AgentShield commit `4e36aab` hardens CI package installs
+   after the expanded Mini Shai-Hulud refresh, with CI, Test GitHub Action,
+   Self-Scan, and Dependabot Update workflows green.
    ECC-Tools commit `05d4e82` adds hosted promotion judge audit traces with
    deterministic request fingerprints and allowed-citation counts, without
    exposing raw provider output.

docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md

@@ -2,8 +2,8 @@
 
 This dashboard is generated by `npm run operator:dashboard`. It is an operator snapshot, not release approval.
 
-Generated: 2026-05-18T14:28:49.379Z
+Generated: 2026-05-18T18:21:18.798Z
-Commit: 1571494573f8348d6520b7b58f00885ce9d75834
+Commit: 97567a91e79e1ee4c291eb78f5f9c30c2046ac94
 Status: work remaining
 
 ## Current Status

docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md

@@ -7,9 +7,9 @@ npm publication, plugin tag, marketplace submission, or announcement post.
 
 | Field | Evidence |
 | --- | --- |
-| Upstream main | `1571494573f8348d6520b7b58f00885ce9d75834` |
+| Upstream main | `97567a91e79e1ee4c291eb78f5f9c30c2046ac94` |
 | Git remote | `https://github.com/affaan-m/everything-claude-code.git` |
-| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, PR #1978 review/closure, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, AgentShield `840952a` fleet-ticket and Mini Shai-Hulud IOC evidence mirror, Mini Shai-Hulud/TanStack protection recheck, defensive-deny IOC scanner hardening, release name/plugin publication checklist, readiness/smoke gate enforcement for that checklist, current-head CI/security scan, work-items sync, and Linear progress sync |
+| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, PR #1978 review/closure, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, AgentShield `840952a` fleet-ticket and Mini Shai-Hulud IOC evidence mirror, Mini Shai-Hulud/TanStack protection recheck, defensive-deny IOC scanner hardening, release name/plugin publication checklist, readiness/smoke gate enforcement for that checklist, release OIDC publishing-scope hardening, workflow line-ending normalization, current-head CI/security scan, work-items sync, and Linear progress sync |
 | Local status caveat | `git status --short --branch` was clean at dashboard generation time; generated evidence files are committed after the source snapshot they describe |
 
 The actual release operator should repeat all publish-facing checks from the
@@ -24,7 +24,7 @@ final release commit with a strictly clean checkout before publishing.
 | Discussion audit | `npm run discussion:audit -- --json` | Ready; 58 sampled discussions in `affaan-m/everything-claude-code`, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors |
 | Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files |
 | Work-items sync | `node scripts/work-items.js sync-github --repo <tracked-repo>` for five tracked repos; `node scripts/status.js --json`; `node scripts/work-items.js list --json` | All five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items |
-| Operator dashboard | `npm run operator:dashboard -- --markdown --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `1571494573f8348d6520b7b58f00885ce9d75834`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated; AgentShield enterprise evidence now includes `840952a`; ECC Tools target-account billing readback remains the documented native-payments gate; the naming/plugin row still requires the release-name/plugin publication checklist |
+| Operator dashboard | `npm run operator:dashboard -- --markdown --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `97567a91e79e1ee4c291eb78f5f9c30c2046ac94`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated; AgentShield enterprise evidence now includes `840952a`; ECC Tools target-account billing readback remains the documented native-payments gate; the naming/plugin row still requires the release-name/plugin publication checklist |
 
 Tracked repositories in the platform audit and work-items sync were:
 
@@ -54,6 +54,8 @@ Tracked repositories in the platform audit and work-items sync were:
 | Announcement draft tracking | Added `docs/drafts/release-1.10.1-announcement.md` so the stabilization announcement draft is tracked instead of remaining as release-blocking untracked local state |
 | Clean-worktree preview-pack smoke | Detached worktree at `680aeff0fb9a8598858e3105ba4742973ef386ab`; `node scripts/preview-pack-smoke.js --root <worktree> --format json` passed 5/5 with digest `0ed831dbd0cf`; 26 required artifacts, final verification commands, Hermes public sanitization boundary, and approval-gated publication blockers were all preserved |
 | Public queues | Rechecked after the merge and issue-closure batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos |
+| Release OIDC publishing scope | Pushed `7911af4a` to keep the release workflow's trusted-publishing path scoped to release publication instead of broadening OIDC permissions across unrelated jobs; local workflow security validation passed |
+| Release workflow normalization | Pushed `97567a91` to normalize release workflow line endings after the OIDC hardening slice; current-head CI `26050727969` passed for `97567a91e79e1ee4c291eb78f5f9c30c2046ac94` |
 
 ## Supply-Chain And Security Evidence
 
@@ -61,22 +63,23 @@ Tracked repositories in the platform audit and work-items sync were:
 | --- | --- | --- |
 | Repo IOC scan | `npm run security:ioc-scan` | Passed; 198 files inspected |
 | Home persistence IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home --json` | Passed; 200 files inspected; `findings: []` |
+| ECC workspace IOC recheck | `node scripts/ci/scan-supply-chain-iocs.js --root <local ECC root> --home --json` | Passed; 1212 files inspected; `findings: []`; exact local path is kept out of public release evidence |
 | Narrow active persistence sweep | Targeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, `/tmp`, and `/private/tmp` campaign paths | Existing active targets: 2; no campaign marker hits |
 | Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 20 passed, 0 failed, including defensive Claude deny-wall pass and hook-with-same-IOC fail-closed coverage |
 | Advisory source refresh | `node scripts/ci/supply-chain-advisory-sources.js --refresh --json` | Ready with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK |
 | No-lifecycle install | `npm ci --ignore-scripts` | Completed cleanly; 213 packages installed, 0 vulnerabilities |
 | npm audit | `npm audit --audit-level=high` | 0 vulnerabilities |
 | npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations |
-| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files |
+| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files after the release OIDC publishing-scope hardening |
 | AgentShield project scan | `npx --no-install ecc-agentshield scan --format json` | Grade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings |
-| Current-head CI security scan | `gh run view 26017368895 --repo affaan-m/everything-claude-code --json status,conclusion,jobs,url` | Completed successfully for `04d4d81938b20ac2bac1f0025145ab77d6a59f5f`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan |
+| Current-head CI security scan | `gh run view 26050727969 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,jobs,url` | Completed successfully for `97567a91e79e1ee4c291eb78f5f9c30c2046ac94`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan |
 | Latest Supply-Chain Watch | `gh run view 26010432490 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,url` | Completed successfully for `25ac57ac40e9fc5a0606e76e6339e72c79748c99`; rerun from the final release commit before publication |
 
 ## Linear Progress Sync
 
 | Surface | Evidence |
 | --- | --- |
-| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit |
+| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit; comment `3fe5b2b7-c4fe-401c-a317-b40d72119cb3` records the final emergency refresh against `97567a91`, AgentShield `4e36aab`, clean ECC/Ito/Documents workspace IOC scans, absent dead-man/persistence artifacts, and package-manager/Claude deny-wall posture |
 | ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, #1976, and remaining-gate state at the project level |
 | Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface |
 
@@ -114,8 +117,8 @@ Tracked repositories in the platform audit and work-items sync were:
 The tracked public PR queue, issue queue, discussion queue, local work-items
 bridge, release-name/plugin publication gate, and Mini Shai-Hulud/TanStack
 protection loop are current on May 18, 2026 for current `main` through
-`15714945`, with follow-up ECC Tools billing-gate hardening in `632e059`
+`97567a91`, with follow-up ECC Tools billing-gate hardening in `632e059`
-and AgentShield enterprise hardening in `840952a`.
+and AgentShield enterprise/security hardening through `4e36aab`.
 This improves publication readiness but does not replace the approval-gated
 release, package, plugin, billing, and announcement steps in
 `publication-readiness.md`.

docs/releases/2.0.0-rc.1/publication-readiness.md

@@ -42,8 +42,9 @@ For the May 18 current-head queue, workflow-security/metrics/uncloud merge
 batch, PR #1978 review/closure, Mini Shai-Hulud/TanStack local and home
 protection recheck, npm no-lifecycle install/audit/signature gates,
 AgentShield project scan, AgentShield `840952a` enterprise/IOC evidence mirror,
-work-items sync, Linear progress comments, operator dashboard refresh, and
+release OIDC publishing-scope hardening, workflow normalization, work-items sync,
-current-head CI/security scan success for `99e01ded`, see
+Linear progress comments, operator dashboard refresh, and current-head
+CI/security scan success for `97567a91`, see
 [`publication-evidence-2026-05-18.md`](publication-evidence-2026-05-18.md).
 For the operator-facing prompt-to-artifact readiness dashboard from the same
 May 16 pass, see
@@ -92,22 +93,22 @@ Record the exact commit SHA and command output before any publication action:
 
 | Evidence | Command | Required result | Recorded output |
 | --- | --- | --- | --- |
-| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | `99e01ded`: `## main...origin/main`; repeat from the exact final publication commit before release |
+| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | `97567a91`: `## main...origin/main`; repeat from the exact final publication commit before release |
 | Preview-pack smoke | `npm run preview-pack:smoke` | Preview pack artifacts, Hermes boundary, final verification command list, and publication blockers pass | `publication-evidence-2026-05-18.md`: ready yes, digest `0ed831dbd0cf`, 5 passed, 0 failed; repeat in the final strict clean-checkout release pass |
 | Harness audit | `npm run harness:audit -- --format json` | 70/70 passing | `99e01ded`: 70/70, 0 top actions |
 | Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `99e01ded`: PASS, 11 adapters |
 | Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-18.md`: 21/21, ready yes |
 | Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | May 18 evidence keeps release safety passing; repeat the JSON gate from the exact final release commit |
-| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md` plus CI `26040120071`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, supply-chain IOC scan passed |
+| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md` plus CI `26050727969`: npm registry signatures and attestations verified in the evidence pass, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, supply-chain IOC scan passed |
-| Root suite | `node tests/run-all.js` | 0 failures | `99e01ded`: local `node tests/run-all.js` passed 2512/2512; CI `26040120071` passed the full OS/runtime/package-manager matrix |
+| Root suite | `node tests/run-all.js` | 0 failures | `99e01ded`: local `node tests/run-all.js` passed 2512/2512; current-head CI `26050727969` passed the full OS/runtime/package-manager matrix for `97567a91` |
-| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | CI `26040120071`: markdownlint passed on current head; rerun after any release-copy edits |
+| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | CI `26050727969`: markdownlint passed on current head; rerun after any release-copy edits |
 | Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures; no Python bytecode in npm tarball | `2/2` passed in May 12 evidence pass |
-| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | `99e01ded`: 21/21 passed |
+| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | `97567a91` evidence refresh: 21/21 passed after public-path sanitization |
 | Optional Rust surface | `cd ecc2 && cargo test` | 0 failures or explicit deferral | `publication-evidence-2026-05-16.md`: 462/462 passed, existing warnings only |
-| Queue baseline | `node scripts/platform-audit.js --json` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `99e01ded`: platform audit ready, 0 open PRs, 0 open issues, 0 conflicting PRs, and 0 blocking dirty files |
+| Queue baseline | `node scripts/platform-audit.js --json` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `97567a91`: platform audit ready, 0 open PRs, 0 open issues, 0 conflicting PRs, and 0 blocking dirty files |
-| Discussion baseline | `node scripts/platform-audit.js --json` and `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `99e01ded`: platform audit sampled 58 trunk discussions, 0 needing maintainer touch, 0 answerable discussions missing accepted answer |
+| Discussion baseline | `node scripts/platform-audit.js --json` and `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `97567a91`: platform audit sampled 58 trunk discussions, 0 needing maintainer touch, 0 answerable discussions missing accepted answer |
-| Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | May 18 Linear comments include ITO-57 `f1c896d9-dd27-4ba2-b5a8-60afe5125c22`; earlier evidence records the project and 16 issue lanes |
+| Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | May 18 Linear comments include ITO-57 `3fe5b2b7-c4fe-401c-a317-b40d72119cb3`; earlier evidence records the project and 16 issue lanes |
-| Operator readiness dashboard | `npm run operator:dashboard -- --json` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `99e01ded`: generated May 18 dashboard is committed, platform audit ready true, 0 open PRs, 0 open issues, 0 discussion gaps, and publication gates still approval-gated |
+| Operator readiness dashboard | `npm run operator:dashboard -- --json` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `97567a91`: generated May 18 dashboard is committed, platform audit ready true, 0 open PRs, 0 open issues, 0 discussion gaps, and publication gates still approval-gated |
 | Release URL ledger | `docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-18.md` plus placeholder-marker scan | Live links and approval-gated links are separated before announcement copy is posted | Ledger records public repo/docs/CI/supply-chain/npm/OpenAI Codex documentation URLs and blocks GitHub release/npm/plugin/billing/social URLs until approval-gated checks pass |
 | Release name and plugin publication checklist | `docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md` | Name/package/plugin values are frozen, final-release commands are listed, and Claude/Codex publication paths cite current official docs | Checklist keeps `Everything Claude Code / ECC`, `ecc-universal`, and plugin slug `ecc` for rc.1; no rename, npm publish, plugin tag, official listing, billing claim, or announcement before final evidence |