diff --git a/docs/ECC-2.0-GA-ROADMAP.md b/docs/ECC-2.0-GA-ROADMAP.md index 583893b8..ba557917 100644 --- a/docs/ECC-2.0-GA-ROADMAP.md +++ b/docs/ECC-2.0-GA-ROADMAP.md @@ -32,7 +32,7 @@ partner/sponsor funnel, consulting/talk funnel, and social launch plan. ## Current Evidence -As of 2026-05-18: +As of 2026-05-19: - GitHub queues are clean across `affaan-m/ECC`, `affaan-m/agentshield`, `affaan-m/JARVIS`, `ECC-Tools/ECC-Tools`, and @@ -75,14 +75,11 @@ As of 2026-05-18: recheck, `7911af4a` release OIDC publishing-scope hardening, `97567a91` release workflow line-ending normalization, and release evidence with a refreshed operator dashboard. -- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` records the - May 18 queue-zero state, current-head TanStack/Mini Shai-Hulud protection - recheck, no-lifecycle npm install, npm audit/signature checks, AgentShield - project `.claude` scan, Linear sync, work-items sync, operator dashboard - refresh, PR #1976 provider-guard validation, ECC-Tools Wrangler OAuth billing - readback evidence, defensive-deny IOC scanner coverage, and current-head CI - success for `97567a91`; a detached clean-worktree preview-pack smoke from - `680aeff0` passed 5/5 with digest `0ed831dbd0cf`. +- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md` records the + current May 19 queue-zero state, canonical ECC identity merge, release video + suite gate, partner/sponsor/talk outreach pack, preview-pack smoke digest + `3bb55807407b`, local 2544-test suite, and PR #1993 CI success. The May 18 + evidence remains the detailed supply-chain and publication-path snapshot. - `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` regenerates the ITO-44 prompt-to-artifact dashboard from live platform audit evidence: PR queue, issue queue, discussion queue, local worktree gate, @@ -733,16 +730,16 @@ is not complete unless the evidence column exists and has been freshly verified. | Prompt requirement | Required artifact or gate | Current evidence | Status | | --- | --- | --- | --- | -| Keep public PRs below 20 | Repo-family PR recheck | 0 open PRs across `ECC`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-18 after merging PR #1976 and refreshing platform audit evidence | Complete | -| Keep public issues below 20 | Repo-family issue recheck | 0 open issues across `ECC`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-18 after the live platform audit refresh | Complete | +| Keep public PRs below 20 | Repo-family PR recheck | 0 open PRs across `ECC`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-19 after merging PR #1993 and refreshing platform audit evidence | Complete | +| Keep public issues below 20 | Repo-family issue recheck | 0 open issues across `ECC`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-19 after the live platform audit refresh | Complete | | Manage repository discussions | Repo-family discussion recheck plus response playbook | Platform audit reports 0 discussion maintainer-touch gaps and 0 answerable Q&A missing accepted answers; trunk still has 58 total discussions; `docs/architecture/discussion-response-playbook.md` distinguishes support, maintainer coordination, stale/concluded, release, informational, and security-sensitive response paths | Complete | -| Manage PR discussions | PR review/comment closure plus merge/close state | ECC #1976 merged after maintainer follow-up validation; no open tracked PRs remain | Complete | +| Manage PR discussions | PR review/comment closure plus merge/close state | ECC #1990-#1993 merged through the harness audit, canonical identity, release video suite, and growth outreach batch; no open tracked PRs remain | Complete | | Salvage useful stale work | `docs/stale-pr-salvage-ledger.md` plus `docs/legacy-artifact-inventory.md` | Ledger records salvaged, superseded, skipped, and manual-review tails; #1815-#1818 added cost tracking, skill scout, frontend design guidance, code-reviewer false-positive guardrails, and the May 12 gap pass; #1687, #1609, #1563, #1564, and #1565 localization tails are attached to Linear ITO-55 for language-owner review and no automatic import remains release-blocking | Complete; repeat legacy scan before release | -| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 18 evidence records queue-zero state, #1970/#1971/#1972/#1976 merge batch, supply-chain recheck, defensive-deny IOC scanner hardening, npm no-lifecycle install/audit/signature gates, Linear sync, refreshed operator dashboard, provider-guard validation, ECC-Tools Wrangler OAuth billing readback evidence, successful current-head CI on `04d4d819`, and detached clean-worktree preview-pack smoke digest `59bbf2630a44` | Needs final release approval | +| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 19 evidence records queue-zero state, canonical ECC identity, release video suite, growth outreach pack, local 2544-test suite, PR #1993 CI success, and preview-pack smoke digest `3bb55807407b` | Needs final release approval | | Hermes specialized skills included safely | Hermes setup/import docs and sanitized skill surface | Hermes setup and import playbook are public; secrets stay local | Needs final release review | | Naming and rename readiness | Naming matrix across package/plugin/docs/social surfaces | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` records current package, repo, Claude plugin, Codex plugin, OpenCode, and npm availability evidence | Complete for rc.1; post-rc rename remains future work | | Claude and Codex plugin publication | Contact/submission path with required artifacts and status | Publication readiness, naming matrix, and May 12 dry-run evidence document plugin validation, clean-checkout Claude tag/install smoke, and Codex marketplace CLI shape | Needs explicit approval for real tag/push and marketplace submission | -| Articles, tweets, and announcements | X thread, LinkedIn copy, GitHub release copy, push checklist | Draft launch collateral exists under rc.1 release docs | Needs URL-backed refresh | +| Articles, tweets, and announcements | X thread, LinkedIn copy, GitHub release copy, push checklist, partner/sponsor/talk pack | Draft launch collateral and approval-gated outreach copy exist under rc.1 release docs | Needs URL-backed refresh and human approval before posting or sending | | AgentShield enterprise iteration | Policy gates, SARIF, packs, provenance, corpus, HTML reports, exception lifecycle audit, baseline drift Action/CLI surfaces, evidence-pack redaction, harness adapter registry, enterprise research roadmap, supply-chain hardened release path, CI-safe baseline fingerprints, corpus accuracy recommendations, remediation workflow phases, env proxy hijack corpus coverage, Mini Shai-Hulud full-campaign package IOCs, CI-provenance evidence packs, plugin-cache runtime-confidence triage, evidence-pack consumer readback, fleet-level evidence-pack routing, fleet review items, fleet review ticket payloads, checksum-backed policy export, checksum-verified policy promotion, policy promotion review items, package-manager hardening drift detection, npm age-gate guidance correction, workflow action-runtime pin refresh, package-manager hardening Action outputs, policy-promotion Action outputs, ECC-Tools hosted consumption of promotion Action outputs, ECC-Tools operator-visible promotion output values, and ECC-Tools hosted promotion judge audit traces | PRs #53, #55-#64, #67-#69, and #78-#92 landed with test evidence, ECC-Tools #76 consumes the fleet-summary output in hosted security review, #77 surfaces source evidence paths in hosted finding output, and #78 links fleet routes to harness owner review; AgentShield #91 adds `agentshield policy export` bundles for branch-protection review and downstream promotion; AgentShield #92 adds `agentshield policy promote` with digest verification, tamper rejection, explicit pack selection, dry-run review, and JSON output before writing active policy; AgentShield commit `87aec47` adds `reviewItems` for digest evidence, owner review, protected rollout PR handoff, and runtime smoke testing with green local and remote CI; AgentShield commit `28d08c7` adds package-manager hardening drift detection for plaintext registry credentials, lifecycle-script enablement, and weak pnpm/Yarn release-age cooldowns with green local and remote CI; AgentShield commit `659f569` refreshes all workflow action runtime pins to SHA-pinned checkout v6.0.2 and setup-node v6.4.0 with green remote CI and no remaining action-runtime deprecation annotation; AgentShield commit `ee585cd` corrects npm release-age guidance by flagging unsupported npm age keys and keeping enforceable cooldown findings on pnpm/Yarn with green local and remote CI; AgentShield commit `1124535` exposes package-manager hardening status/count outputs and a redacted job-summary section for registry credentials, lifecycle scripts, and release-age gates with green local and remote CI; AgentShield commit `1593925` exposes policy-promotion status/count/digest outputs plus job-summary review items for owner approval, protected rollout, and runtime smoke, and marks runtime smoke verified when the same Action job scans with the promoted policy; AgentShield commit `840952a` adds Linear/operator-ready fleet review ticket payloads and expands current Mini Shai-Hulud IOC breadcrumbs with green local and remote CI; ECC-Tools commit `8658951` routes those policy-promotion Action outputs into hosted security review findings and Hosted Promotion Readiness scoring; ECC-Tools commit `16c537f` renders policy-promotion status, pack, review item count, action-required count, and digest in hosted security job comments/check-runs; ECC-Tools commit `05d4e82` renders hosted promotion judge request fingerprints and allowed-citation counts without raw provider output; native PDF export deferred in favor of self-contained HTML plus print-to-PDF until explicit enterprise demand appears; `docs/architecture/agentshield-enterprise-research-roadmap.md` now has baseline drift, evidence-pack bundle, redaction, adapter-registry, supply-chain hardening, hashed baseline fingerprints, corpus accuracy recommendation, remediation workflow, env proxy hijack corpus, Mini Shai-Hulud full-campaign package-table, `ci-context.json` provenance, `plugin-cache` confidence, `evidence-pack inspect` readback, `evidence-pack fleet` routing, fleet `reviewItems`, fleet review ticket payloads, policy export, policy promotion, policy promotion `reviewItems`, package-manager hardening Action outputs, policy-promotion Action outputs, hosted consumption of promotion Action outputs, operator-visible promotion output values, and hosted promotion judge audit traces landed | Next workflow automation should deepen live operator approval/readback after Marketplace/payment gates | | ECC Tools next-level app | Billing audit, PR checks, deep analyzer, sync backlog, evaluator/RAG corpus, analysis-depth readiness, hosted execution planning, hosted CI diagnostics, hosted security evidence review, hosted harness compatibility audit, hosted reference-set evaluation, hosted AI routing/cost review, hosted team backlog routing, hosted depth-plan check-run, PR-comment hosted job dispatch, hosted job result history/check-runs, hosted result status command, status-aware depth-plan recommendations, hosted promotion readiness, hosted promotion output scoring, hosted promotion retrieval planning, hosted promotion judge contract, gated hosted promotion judge execution, hosted promotion judge audit trace, payment-announcement readiness, billing announcement preflight, aggregate production billing KV readback, Marketplace webhook provenance, target-account billing readback, Marketplace-source provenance counts, AgentShield fleet-summary hosted routing, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output hosted telemetry, and operator-visible promotion output values | PRs #26-#43 plus #53-#78 landed with test evidence, including AgentShield evidence-pack gap routing, canonical bundle recognition, supply-chain signature gates, PR draft follow-up Linear tracking, evidence-backed/deep-ready repository classification, the `/api/analysis/depth-plan` hosted job plan, `/api/analysis/jobs/ci-diagnostics`, `/api/analysis/jobs/security-evidence-review`, `/api/analysis/jobs/harness-compatibility-audit`, `/api/analysis/jobs/reference-set-evaluation`, `/api/analysis/jobs/ai-routing-cost-review`, `/api/analysis/jobs/team-backlog-routing`, the `ECC Tools / Hosted Depth Plan` check-run, `/ecc-tools analyze --job ...` PR-comment dispatch, non-blocking per-hosted-job result check-runs backed by 30-day result cache records, `/ecc-tools analyze --job status` cache lookup, cache-aware next-job recommendations in the depth-plan check-run, the `ECC Tools / Hosted Promotion Readiness` corpus-backed PR check-run, deterministic hosted-output scoring against cached completed job artifacts/findings, ranked retrieval/model-prompt planning, the fail-closed `hosted-promotion-judge.v1` request contract, opt-in live model-judge execution behind hosted evidence, entitlement, budget, provider, executor, strict JSON, and citation gates, hosted promotion judge request fingerprints plus allowed-citation audit trails, a fail-closed `/api/billing/readiness` `announcementGate` for native GitHub payments claims, `npm run billing:announcement-gate` plus `--preflight` as the non-secret operator verifier, hosted security findings for AgentShield fleet summaries, an `Evidence` column in hosted finding comments/check-runs, hosted harness findings that route AgentShield fleet target paths to harness owners, ECC-Tools commit `8658951` routing AgentShield policy-promotion Action outputs into hosted security review and promotion-readiness scoring, ECC-Tools commit `16c537f` rendering policy-promotion status/pack/count/digest values directly in hosted security job comments/check-runs, ECC-Tools commit `05d4e82` rendering model-judge audit traces without exposing raw provider output, ECC-Tools commit `91a441b` adding the safe billing announcement preflight path, ECC-Tools commit `eb69412` recording the initial production readback state, ECC-Tools commit `95d0bec` adding `npm run billing:kv-readback` with aggregate account-billing and billing-state records but 0 Marketplace Pro billing-state records, ECC-Tools commit `2859678` requiring webhook-derived Marketplace provenance before announcement readiness, ECC-Tools commit `42653f9` adding Wrangler OAuth readback, ECC-Tools commit `632e059` adding sanitized target-account readback that requires both target key families before `--require-ready` can pass, and ECC-Tools commit `d5f60db` adding sanitized Marketplace plan/action provenance counts; the latest 2026-05-18 live Wrangler OAuth recheck found 256 account-billing records, 256 billing-state records, 197 Marketplace-source records, 4 Marketplace webhook-provenance records, all `Open Source`, and 0 Marketplace Pro records, then updated Linear ITO-61 with the data/provisioning blocker | Next work is create or verify Marketplace-managed Pro target billing-state with webhook provenance, configure target account plus `INTERNAL_API_SECRET`, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account --require-ready`, followed by the live announcement gate | | GitGuardian/Dependabot/CodeRabbit-style checks | Non-blocking taxonomy, deterministic follow-up checks, and local supply-chain gates | ECC-Tools risk taxonomy check plus follow-up signals landed, including Skill Quality, Deep Analyzer Evidence, Analyzer Corpus Evidence, RAG/Evaluator Evidence, PR Review/Salvage Evidence, and AgentShield evidence-pack evidence; #1846 added npm registry signature gates; #1848 added the supply-chain incident-response playbook and `pull_request_target` cache-poisoning validator guard; #1851 added the privileged checkout credential-persistence guard; AgentShield #78, JARVIS #13, and ECC-Tools #53 applied the same hardening outside trunk | Current supply-chain gate complete; deeper hosted review features remain future | diff --git a/docs/releases/2.0.0-rc.1/preview-pack-manifest.md b/docs/releases/2.0.0-rc.1/preview-pack-manifest.md index ee834e35..ab771b0c 100644 --- a/docs/releases/2.0.0-rc.1/preview-pack-manifest.md +++ b/docs/releases/2.0.0-rc.1/preview-pack-manifest.md @@ -24,7 +24,8 @@ surfaces, or posting announcements. | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-15.md` | Current May 15 queue, roadmap, security, supply-chain watch, no-lifecycle CI install hardening, AgentShield #86 evidence-pack provenance, ECC Tools billing-gate, Actions cache purge, and `ecc2` test evidence through PR #1941 | Must be superseded by a final clean-checkout evidence file before real publication | | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` | Current May 16/17 queue cleanup, recsys skill merge, GateGuard triage, PR #1947 supply-chain protection, AgentShield #87 plugin-cache confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 policy export, AgentShield #92 policy promotion, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, dashboard refresh, and combined Node/Rust/release-surface gate evidence through the May 16 mirror | Must still be repeated from a strict clean checkout before real publication | | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Superseded by the May 18 evidence snapshot; repeat from a strict clean checkout before real publication | -| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` | Current May 18 queue-zero state, #1970/#1971/#1972 merge batch, #1978 review/closure, current-head Mini Shai-Hulud/TanStack protection recheck, no-lifecycle install, npm audit/signature checks, AgentShield `840952a` enterprise/IOC evidence mirror, work-items sync, Linear sync, operator dashboard refresh, latest current-head CI/security scan success for `4470e2e6`, and ITO-46 naming/plugin publication closure | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication | +| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` | May 18 queue-zero state, #1970/#1971/#1972 merge batch, #1978 review/closure, supply-chain recheck, AgentShield evidence mirror, Linear sync, current-head CI/security scan success for `4470e2e6`, and ITO-46 naming/plugin publication closure | Superseded by the May 19 ECC identity, video, and growth evidence snapshot | +| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md` | Current May 19 evidence for canonical ECC identity, release video suite, partner/sponsor/talk outreach pack, preview-pack smoke digest `3bb55807407b`, 2544-test local suite, and PR #1993 CI success | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication | | `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Previous prompt-to-artifact operator dashboard | Superseded by the May 18 generated dashboard | | `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open | | `docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-19.md` | Live URL and approval-gated URL ledger for release copy | Must be regenerated from the final release commit before public announcements | diff --git a/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md new file mode 100644 index 00000000..c95fad46 --- /dev/null +++ b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md @@ -0,0 +1,96 @@ +# ECC v2.0.0-rc.1 Publication Evidence - 2026-05-19 + +This is release-readiness evidence only. It does not create a GitHub release, +npm publication, plugin tag, marketplace submission, billing announcement, or +social announcement. + +## Source Commit + +| Field | Evidence | +| --- | --- | +| Upstream main | `7a0645ed47d6a3aca54b4a214aab6dfaa58e770d` | +| Git remote | `https://github.com/affaan-m/ECC.git` | +| Evidence scope | Current `main` after PR #1990 harness-audit GitHub integration scoring, PR #1991 canonical ECC identity gate, PR #1992 release video-suite gate, and PR #1993 growth outreach pack | +| Local status caveat | `git status --short --branch` was clean after pulling `origin/main`; generated evidence files are committed after the source snapshot they describe | + +The release operator must repeat all publish-facing checks from the exact final +release commit with a strictly clean checkout before publishing. + +## Queue And Discussion State + +| Surface | Command | Result | +| --- | --- | --- | +| Platform audit | `node scripts/platform-audit.js --json` | Ready true; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A gaps, 0 conflicting PRs, and 0 blocking dirty files | +| Trunk PRs | `gh pr list --repo affaan-m/ECC --state open --json number,title,url,author --limit 100` | `[]` | +| Trunk issues | `gh issue list --repo affaan-m/ECC --state open --json number,title,url,author --limit 100` | `[]` | +| Discussion audit through platform audit | `node scripts/platform-audit.js --json` | `affaan-m/ECC` discussions enabled; 58 sampled; 0 needing maintainer touch; 0 answerable without accepted answer | +| Worktree | `git status --short --branch` | `## main...origin/main` | + +Tracked repositories in the platform audit were: + +- `affaan-m/ECC` +- `affaan-m/agentshield` +- `affaan-m/JARVIS` +- `ECC-Tools/ECC-Tools` +- `ECC-Tools/ECC-website` + +## Merge Batch + +| Item | Result | +| --- | --- | +| PR #1990 | Merged GitHub integration harness-audit scoring and conflict salvage from the earlier unsafe PR lane | +| PR #1991 | Merged canonical ECC release identity gate across README, plugin/package metadata, OpenCode surfaces, Marketplace metadata, audit defaults, quickstart, release URL ledger, naming/publication matrix, and release tests | +| PR #1992 | Merged the release video-suite gate, production manifest, validator, package file surface, preview-pack smoke wiring, release-surface tests, and compact CI JSON output | +| PR #1993 | Merged the partner, sponsor, consulting, conference, podcast, GitHub Discussion, and video CTA pack for the hypergrowth outbound lane | + +## Release And Growth Evidence + +| Gate | Command | Result | +| --- | --- | --- | +| Release-surface tests | `node tests/docs/ecc2-release-surface.test.js` | 25 passed, 0 failed | +| Preview-pack smoke | `npm run preview-pack:smoke -- --format json` | Ready true; digest `3bb55807407b`; 29 required artifacts; 5 passed, 0 failed | +| Release video suite | `npm run release:video-suite -- --format json --summary` with `ECC_VIDEO_SOURCE_ROOT` and `ECC_VIDEO_RELEASE_SUITE_ROOT` | Ready true; 15/15 source assets present; 13/13 render, timeline, caption, EDL, and segment artifacts present; primary rough render is 144.759 seconds and 106.78 MB | +| Full local suite | `node tests/run-all.js` | 2544 passed, 0 failed | +| PR #1993 CI | GitHub Actions run `26093792219` | Completed successfully for `d9ac22c697d9a8a8771512ab01e6df857c16776d`; all reported checks passed, including lint, validation, security scan, coverage, GitGuardian, and the macOS/Ubuntu/Windows test matrix | +| Public-path sanitization | `node scripts/ci/validate-no-personal-paths.js` through local suite and CI | Passed | +| Markdown and whitespace | `markdownlint` focused release docs plus `git diff --check` before PR #1993 | Passed | + +## Product And Positioning Evidence + +| Surface | Evidence | +| --- | --- | +| Canonical repo identity | Public URLs and release docs now use `https://github.com/affaan-m/ECC` where public links are needed | +| Release claim | Release notes and launch collateral frame ECC as the harness-native operator system for agentic work, not a Claude-only config pack | +| Video proof | `video-suite-production.md` gates the local rough render, timeline, captions, source inventory, self-eval, and no-private-path publication rules | +| Growth proof | `partner-sponsor-talks-pack.md` provides approval-gated copy for sponsors, partners, consulting, talks, podcasts, GitHub Discussion, and video CTAs | +| Business baseline | Hypergrowth command center and partner pack use `$1,728/mo` current MRR, `$10,000/mo` target MRR, and `$8,272/mo` gap | + +## Current Publication Blockers + +- GitHub prerelease `v2.0.0-rc.1` is still not created in this pass. +- npm `ecc-universal@2.0.0-rc.1` is still not published to the `next` + dist-tag. +- Claude plugin tag and marketplace propagation remain approval-gated. +- Codex repo-marketplace distribution is verified by prior evidence, but + official Plugin Directory publishing remains blocked on OpenAI submission or + listing evidence. +- ECC Tools billing/native-payments copy remains blocked until a Marketplace + Pro purchase/webhook path writes ready production billing state for a target + Marketplace test account and the billing announcement gate passes. +- Release notes, X, LinkedIn, GitHub release, GitHub Discussion, longform copy, + sponsor outreach, partner outreach, consulting copy, conference pitches, and + podcast pitches still need final live URLs plus human approval before posting + or sending. +- Discord/community links still need a real invite or bot/guild credential path + before public docs should route users there. + +## Result + +The tracked public PR queue, issue queue, discussion queue, canonical ECC +identity, release video suite, preview pack, and growth outreach packet are +current on May 19, 2026 for `main` through +`7a0645ed47d6a3aca54b4a214aab6dfaa58e770d`. + +This improves publication readiness but does not replace the approval-gated +release, package, plugin, billing, Discord, and announcement steps in +`publication-readiness.md`. diff --git a/docs/releases/2.0.0-rc.1/publication-readiness.md b/docs/releases/2.0.0-rc.1/publication-readiness.md index 87b3c4c8..258ccbb2 100644 --- a/docs/releases/2.0.0-rc.1/publication-readiness.md +++ b/docs/releases/2.0.0-rc.1/publication-readiness.md @@ -45,8 +45,9 @@ AgentShield project scan, AgentShield `840952a` enterprise/IOC evidence mirror, release OIDC publishing-scope hardening, workflow normalization, later dashboard/publication-readiness refreshes through `67e63e63`, work-items sync, Linear progress comments, ITO-46 closure, operator dashboard refresh, and -current-head CI/security scan success for `4470e2e6`, see -[`publication-evidence-2026-05-18.md`](publication-evidence-2026-05-18.md). +current-head CI/security scan success through the May 19 identity, video, and +growth-pack merge batch, see +[`publication-evidence-2026-05-19.md`](publication-evidence-2026-05-19.md). For the operator-facing prompt-to-artifact readiness dashboard from the same May 16 pass, see [`operator-readiness-dashboard-2026-05-15.md`](operator-readiness-dashboard-2026-05-15.md). @@ -94,20 +95,20 @@ Record the exact commit SHA and command output before any publication action: | Evidence | Command | Required result | Recorded output | | --- | --- | --- | --- | -| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | `4470e2e6`: `## main...origin/main`; repeat from the exact final publication commit before release | -| Preview-pack smoke | `npm run preview-pack:smoke` | Preview pack artifacts, Hermes boundary, final verification command list, and publication blockers pass | `publication-evidence-2026-05-18.md`: ready yes, digest `0ed831dbd0cf`, 5 passed, 0 failed; repeat in the final strict clean-checkout release pass | +| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | `7a0645ed`: `## main...origin/main`; repeat from the exact final publication commit before release | +| Preview-pack smoke | `npm run preview-pack:smoke` | Preview pack artifacts, Hermes boundary, final verification command list, and publication blockers pass | `publication-evidence-2026-05-19.md`: ready yes, digest `3bb55807407b`, 29 artifacts, 5 passed, 0 failed; repeat in the final strict clean-checkout release pass | | Harness audit | `npm run harness:audit -- --format json` | 70/70 passing | `99e01ded`: 70/70, 0 top actions | | Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `99e01ded`: PASS, 11 adapters | | Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-18.md`: 21/21, ready yes | | Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | May 18 evidence keeps release safety passing; repeat the JSON gate from the exact final release commit | -| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md` plus CI `26057806361`: npm registry signatures and attestations verified in the evidence pass, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, supply-chain IOC scan passed | -| Root suite | `node tests/run-all.js` | 0 failures | `99e01ded`: local `node tests/run-all.js` passed 2512/2512; current-head CI `26057806361` passed the full OS/runtime/package-manager matrix for `4470e2e6` | -| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | CI `26057806361`: markdownlint passed on current head; rerun after any release-copy edits | +| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-19.md` plus CI `26093792219`: GitGuardian and security scan passed; prior May 18 npm registry signatures and IOC scans remain the latest detailed supply-chain evidence | +| Root suite | `node tests/run-all.js` | 0 failures | `7a0645ed`: local `node tests/run-all.js` passed 2544/2544; PR #1993 CI `26093792219` passed the full OS/runtime/package-manager matrix for `d9ac22c6` | +| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | CI `26093792219`: markdownlint passed on the growth-pack PR; rerun after any release-copy edits | | Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures; no Python bytecode in npm tarball | `2/2` passed in May 12 evidence pass | -| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | May 18 evidence refresh: 21/21 passed after public-path sanitization, during the `0f1775e3` operator-readiness refresh, and again in the ITO-46 dry-run pass before `4470e2e6` | +| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | May 19 evidence refresh: 25/25 passed after adding the video suite and partner/sponsor/talk gates | | Optional Rust surface | `cd ecc2 && cargo test` | 0 failures or explicit deferral | `publication-evidence-2026-05-16.md`: 462/462 passed, existing warnings only | -| Queue baseline | `node scripts/platform-audit.js --json` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `4470e2e6`: platform audit ready, 0 open PRs, 0 open issues, 0 conflicting PRs, and 0 blocking dirty files in the regenerated dashboard snapshot | -| Discussion baseline | `node scripts/platform-audit.js --json` and `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `4470e2e6`: platform audit sampled 58 trunk discussions, 0 needing maintainer touch, 0 answerable discussions missing accepted answer; `docs/architecture/discussion-response-playbook.md` records response templates and security escalation rules | +| Queue baseline | `node scripts/platform-audit.js --json` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `7a0645ed`: platform audit ready, 0 open PRs, 0 open issues, 0 conflicting PRs, and 0 blocking dirty files | +| Discussion baseline | `node scripts/platform-audit.js --json` and `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `7a0645ed`: platform audit sampled 58 trunk discussions, 0 needing maintainer touch, 0 answerable discussions missing accepted answer; `docs/architecture/discussion-response-playbook.md` records response templates and security escalation rules | | Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | May 18 Linear comments include ITO-57 `3fe5b2b7-c4fe-401c-a317-b40d72119cb3` and ITO-44 `fb4a4f33-6c2d-421a-bbdb-63cfad3e3ee4`; earlier evidence records the project and 16 issue lanes | | Operator readiness dashboard | `npm run operator:dashboard -- --json` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `4470e2e6`: regenerated May 18 dashboard from current main; platform audit ready true, 0 open PRs, 0 open issues, 0 discussion gaps, 0 dirty files, and publication gates still approval-gated | | Release URL ledger | `docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-19.md` plus placeholder-marker scan | Live links and approval-gated links are separated before announcement copy is posted | Ledger records public repo/docs/npm/OpenAI Codex documentation URLs and blocks GitHub release/npm/plugin/billing/social URLs until approval-gated checks pass | diff --git a/docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-19.md b/docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-19.md index 149bf516..e2a6dc2d 100644 --- a/docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-19.md +++ b/docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-19.md @@ -17,7 +17,8 @@ with output from the exact release commit. | Release pack folder | | In-tree release pack | | Release notes draft | | In-tree release copy | | Hermes setup guide | | In-tree sanitized Hermes guide | -| May 18 evidence snapshot | | Current strongest pre-rename readiness evidence | +| May 19 evidence snapshot | | Current strongest identity, video, growth, and CI readiness evidence | +| May 18 evidence snapshot | | Previous supply-chain and publication-path readiness evidence | | May 18 operator dashboard | | Prompt-to-artifact dashboard | | npm package page | | `npm view ecc-universal name version dist-tags --json` returned `latest: 1.10.0`; rc.1 is not published yet | | Codex marketplace CLI docs | | Official docs list `codex plugin marketplace add` for GitHub shorthand, Git URLs, SSH URLs, and local marketplace roots | diff --git a/scripts/platform-audit.js b/scripts/platform-audit.js index fbb2d059..a774031c 100644 --- a/scripts/platform-audit.js +++ b/scripts/platform-audit.js @@ -426,7 +426,7 @@ function buildLocalEvidenceChecks(rootDir) { const roadmap = readText(rootDir, 'docs/ECC-2.0-GA-ROADMAP.md'); const progressSync = readText(rootDir, 'docs/architecture/progress-sync-contract.md'); const supplyChain = readText(rootDir, 'docs/security/supply-chain-incident-response.md'); - const evidence = readText(rootDir, 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md'); + const evidence = readText(rootDir, 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md'); const operatorDashboard = readText(rootDir, 'docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md'); return [ @@ -472,9 +472,9 @@ function buildLocalEvidenceChecks(rootDir) { ), buildCheck( 'release-evidence-current', - includesAll(evidence, ['TanStack', 'Mini Shai-Hulud', 'Home persistence IOC scan', 'Supply-Chain Watch', 'npm signatures']) ? 'pass' : 'fail', - 'rc.1 evidence includes current supply-chain verification artifacts', - { path: 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md' } + includesAll(evidence, ['Release video suite', 'growth outreach', 'GitGuardian', 'macOS/Ubuntu/Windows test matrix', '2544 passed']) ? 'pass' : 'fail', + 'rc.1 evidence includes current release, video, growth, and CI artifacts', + { path: 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md' } ), buildCheck( 'operator-readiness-dashboard', diff --git a/scripts/preview-pack-smoke.js b/scripts/preview-pack-smoke.js index e004e09b..1c7aec97 100644 --- a/scripts/preview-pack-smoke.js +++ b/scripts/preview-pack-smoke.js @@ -26,6 +26,7 @@ const REQUIRED_ARTIFACTS = [ `${RELEASE_DIR}/publication-evidence-2026-05-16.md`, `${RELEASE_DIR}/publication-evidence-2026-05-17.md`, `${RELEASE_DIR}/publication-evidence-2026-05-18.md`, + `${RELEASE_DIR}/publication-evidence-2026-05-19.md`, `${RELEASE_DIR}/operator-readiness-dashboard-2026-05-17.md`, `${RELEASE_DIR}/operator-readiness-dashboard-2026-05-18.md`, `${RELEASE_DIR}/release-url-ledger-2026-05-19.md`, diff --git a/tests/docs/ecc2-release-surface.test.js b/tests/docs/ecc2-release-surface.test.js index c7745d88..1fb55df6 100644 --- a/tests/docs/ecc2-release-surface.test.js +++ b/tests/docs/ecc2-release-surface.test.js @@ -180,6 +180,7 @@ test('preview pack manifest assembles release, Hermes, and publication gates', ( 'docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md', 'docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-19.md', 'docs/releases/2.0.0-rc.1/video-suite-production.md', + 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md', 'docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md', ]) { assert.ok(manifest.includes(artifact), `preview pack manifest missing ${artifact}`); diff --git a/tests/scripts/operator-readiness-dashboard.test.js b/tests/scripts/operator-readiness-dashboard.test.js index 3c390760..6f697c65 100644 --- a/tests/scripts/operator-readiness-dashboard.test.js +++ b/tests/scripts/operator-readiness-dashboard.test.js @@ -153,6 +153,13 @@ function seedRepo(rootDir, overrides = {}) { 'npm signatures', 'Node IPC follow-up node-ipc IOC scan' ].join('\n'), + 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md': [ + 'Release video suite', + 'growth outreach', + 'GitGuardian', + 'macOS/Ubuntu/Windows test matrix', + '2544 passed' + ].join('\n'), '.github/workflows/supply-chain-watch.yml': 'name: Supply-Chain Watch supply-chain-advisory-sources.js supply-chain-advisory-sources.json' }; diff --git a/tests/scripts/platform-audit.test.js b/tests/scripts/platform-audit.test.js index dde31584..cba1adc9 100644 --- a/tests/scripts/platform-audit.test.js +++ b/tests/scripts/platform-audit.test.js @@ -62,12 +62,12 @@ function seedRepo(rootDir, overrides = {}) { 'scan-supply-chain-iocs.js', 'supply-chain-advisory-sources.js' ].join('\n'), - 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md': [ - 'TanStack', - 'Mini Shai-Hulud', - 'Home persistence IOC scan', - 'Supply-Chain Watch', - 'npm signatures' + 'docs/releases/2.0.0-rc.1/publication-evidence-2026-05-19.md': [ + 'Release video suite', + 'growth outreach', + 'GitGuardian', + 'macOS/Ubuntu/Windows test matrix', + '2544 passed' ].join('\n'), 'docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md': [ 'This dashboard is generated by `npm run operator:dashboard`',