From cc5c255529a5c158a31a2de74cfe16b80f89f8e6 Mon Sep 17 00:00:00 2001 From: Affaan Mustafa Date: Sun, 17 May 2026 01:10:12 -0400 Subject: [PATCH] docs: mirror agentshield policy promotion gate --- docs/ECC-2.0-GA-ROADMAP.md | 28 +++++++++++++------ ...operator-readiness-dashboard-2026-05-15.md | 18 ++++++------ .../2.0.0-rc.1/preview-pack-manifest.md | 2 +- .../publication-evidence-2026-05-16.md | 11 ++++---- .../2.0.0-rc.1/publication-readiness.md | 7 +++-- scripts/operator-readiness-dashboard.js | 15 +++++++++- .../operator-readiness-dashboard.test.js | 6 ++-- 7 files changed, 57 insertions(+), 30 deletions(-) diff --git a/docs/ECC-2.0-GA-ROADMAP.md b/docs/ECC-2.0-GA-ROADMAP.md index d652347f..b11ad430 100644 --- a/docs/ECC-2.0-GA-ROADMAP.md +++ b/docs/ECC-2.0-GA-ROADMAP.md @@ -18,8 +18,12 @@ As of 2026-05-16: - GitHub queues are clean across `affaan-m/everything-claude-code`, `affaan-m/agentshield`, `affaan-m/JARVIS`, `ECC-Tools/ECC-Tools`, and - `ECC-Tools/ECC-website`: the latest sweep found 0 open PRs and 0 open issues - across all five repos. ECC Tools org verification requires + `ECC-Tools/ECC-website`: the latest sweep found 6 open PRs and 3 open issues + across all five repos: five new Dependabot PRs (#1959-#1963), the + intentionally held Japanese localization PR/issue pair (#1953/#1951) with + maintainer changes requested after parity validation, and two new trunk + issues (#1957/#1958) awaiting the next queue batch. ECC Tools org + verification requires `env -u GITHUB_TOKEN` in this shell so the configured GitHub host credential is used instead of the incompatible environment token. - GitHub discussions are current across those tracked repos: @@ -39,7 +43,8 @@ As of 2026-05-16: AgentShield #87 plugin-cache runtime-confidence classification, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 - checksum-backed policy export, ECC-Tools #75 billing-gate tightening, + checksum-backed policy export, AgentShield #92 checksum-verified policy + promotion, ECC-Tools #75 billing-gate tightening, ECC-Tools #76 AgentShield fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, PR #1947 supply-chain protection, and May 16 release-evidence @@ -504,6 +509,12 @@ As of 2026-05-16: JSON policy per selected pack plus a checksum-backed `manifest.json`, with pack selection, owners, name prefixes, and JSON output for branch-protection review or downstream policy promotion. +- AgentShield PR #92 merged as `e7e259dc6212b63a8e03a253ca6b8c1e3c2abff7` + and adds the protected promotion gate for those bundles: + `agentshield policy promote` verifies the export manifest and selected + policy SHA-256 digest, rejects tampered policy JSON, requires explicit pack + selection for multi-pack manifests, and supports dry-run JSON review before + writing the active `.agentshield/policy.json`. - ECC PR #1803 landed the contributor Quarkus handling branch after maintainer cleanup, current-`main` alignment, full local validation, and preservation of the author's removal of incomplete ja-JP and zh-CN Quarkus translations. @@ -556,11 +567,11 @@ is not complete unless the evidence column exists and has been freshly verified. | Naming and rename readiness | Naming matrix across package/plugin/docs/social surfaces | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` records current package, repo, Claude plugin, Codex plugin, OpenCode, and npm availability evidence | Complete for rc.1; post-rc rename remains future work | | Claude and Codex plugin publication | Contact/submission path with required artifacts and status | Publication readiness, naming matrix, and May 12 dry-run evidence document plugin validation, clean-checkout Claude tag/install smoke, and Codex marketplace CLI shape | Needs explicit approval for real tag/push and marketplace submission | | Articles, tweets, and announcements | X thread, LinkedIn copy, GitHub release copy, push checklist | Draft launch collateral exists under rc.1 release docs | Needs URL-backed refresh | -| AgentShield enterprise iteration | Policy gates, SARIF, packs, provenance, corpus, HTML reports, exception lifecycle audit, baseline drift Action/CLI surfaces, evidence-pack redaction, harness adapter registry, enterprise research roadmap, supply-chain hardened release path, CI-safe baseline fingerprints, corpus accuracy recommendations, remediation workflow phases, env proxy hijack corpus coverage, Mini Shai-Hulud full-campaign package IOCs, CI-provenance evidence packs, plugin-cache runtime-confidence triage, evidence-pack consumer readback, fleet-level evidence-pack routing, fleet review items, and checksum-backed policy export | PRs #53, #55-#64, #67-#69, and #78-#91 landed with test evidence, ECC-Tools #76 consumes the fleet-summary output in hosted security review, #77 surfaces source evidence paths in hosted finding output, and #78 links fleet routes to harness owner review; AgentShield #91 adds `agentshield policy export` bundles for branch-protection review and downstream promotion; native PDF export deferred in favor of self-contained HTML plus print-to-PDF until explicit enterprise demand appears; `docs/architecture/agentshield-enterprise-research-roadmap.md` now has baseline drift, evidence-pack bundle, redaction, adapter-registry, supply-chain hardening, hashed baseline fingerprints, corpus accuracy recommendation, remediation workflow, env proxy hijack corpus, Mini Shai-Hulud full-campaign package-table, `ci-context.json` provenance, `plugin-cache` confidence, `evidence-pack inspect` readback, `evidence-pack fleet` routing, and fleet `reviewItems` landed | Next workflow automation plus richer policy promotion/review UX | +| AgentShield enterprise iteration | Policy gates, SARIF, packs, provenance, corpus, HTML reports, exception lifecycle audit, baseline drift Action/CLI surfaces, evidence-pack redaction, harness adapter registry, enterprise research roadmap, supply-chain hardened release path, CI-safe baseline fingerprints, corpus accuracy recommendations, remediation workflow phases, env proxy hijack corpus coverage, Mini Shai-Hulud full-campaign package IOCs, CI-provenance evidence packs, plugin-cache runtime-confidence triage, evidence-pack consumer readback, fleet-level evidence-pack routing, fleet review items, checksum-backed policy export, and checksum-verified policy promotion | PRs #53, #55-#64, #67-#69, and #78-#92 landed with test evidence, ECC-Tools #76 consumes the fleet-summary output in hosted security review, #77 surfaces source evidence paths in hosted finding output, and #78 links fleet routes to harness owner review; AgentShield #91 adds `agentshield policy export` bundles for branch-protection review and downstream promotion; AgentShield #92 adds `agentshield policy promote` with digest verification, tamper rejection, explicit pack selection, dry-run review, and JSON output before writing active policy; native PDF export deferred in favor of self-contained HTML plus print-to-PDF until explicit enterprise demand appears; `docs/architecture/agentshield-enterprise-research-roadmap.md` now has baseline drift, evidence-pack bundle, redaction, adapter-registry, supply-chain hardening, hashed baseline fingerprints, corpus accuracy recommendation, remediation workflow, env proxy hijack corpus, Mini Shai-Hulud full-campaign package-table, `ci-context.json` provenance, `plugin-cache` confidence, `evidence-pack inspect` readback, `evidence-pack fleet` routing, fleet `reviewItems`, policy export, and policy promotion landed | Next workflow automation around protected rollout and richer runtime review UX | | ECC Tools next-level app | Billing audit, PR checks, deep analyzer, sync backlog, evaluator/RAG corpus, analysis-depth readiness, hosted execution planning, hosted CI diagnostics, hosted security evidence review, hosted harness compatibility audit, hosted reference-set evaluation, hosted AI routing/cost review, hosted team backlog routing, hosted depth-plan check-run, PR-comment hosted job dispatch, hosted job result history/check-runs, hosted result status command, status-aware depth-plan recommendations, hosted promotion readiness, hosted promotion output scoring, hosted promotion retrieval planning, hosted promotion judge contract, gated hosted promotion judge execution, payment-announcement readiness, AgentShield fleet-summary hosted routing, hosted finding source-evidence surfacing, and harness policy-route review | PRs #26-#43 plus #53-#78 landed with test evidence, including AgentShield evidence-pack gap routing, canonical bundle recognition, supply-chain signature gates, PR draft follow-up Linear tracking, evidence-backed/deep-ready repository classification, the `/api/analysis/depth-plan` hosted job plan, `/api/analysis/jobs/ci-diagnostics`, `/api/analysis/jobs/security-evidence-review`, `/api/analysis/jobs/harness-compatibility-audit`, `/api/analysis/jobs/reference-set-evaluation`, `/api/analysis/jobs/ai-routing-cost-review`, `/api/analysis/jobs/team-backlog-routing`, the `ECC Tools / Hosted Depth Plan` check-run, `/ecc-tools analyze --job ...` PR-comment dispatch, non-blocking per-hosted-job result check-runs backed by 30-day result cache records, `/ecc-tools analyze --job status` cache lookup, cache-aware next-job recommendations in the depth-plan check-run, the `ECC Tools / Hosted Promotion Readiness` corpus-backed PR check-run, deterministic hosted-output scoring against cached completed job artifacts/findings, ranked retrieval/model-prompt planning, the fail-closed `hosted-promotion-judge.v1` request contract, opt-in live model-judge execution behind hosted evidence, entitlement, budget, provider, executor, strict JSON, and citation gates, a fail-closed `/api/billing/readiness` `announcementGate` for native GitHub payments claims, `npm run billing:announcement-gate` as the non-secret operator verifier, hosted security findings for AgentShield fleet summaries, an `Evidence` column in hosted finding comments/check-runs, and hosted harness findings that route AgentShield fleet target paths to harness owners | Next work is hosted promotion telemetry, richer operator review UX, and live Marketplace test-account readback | | GitGuardian/Dependabot/CodeRabbit-style checks | Non-blocking taxonomy, deterministic follow-up checks, and local supply-chain gates | ECC-Tools risk taxonomy check plus follow-up signals landed, including Skill Quality, Deep Analyzer Evidence, Analyzer Corpus Evidence, RAG/Evaluator Evidence, PR Review/Salvage Evidence, and AgentShield evidence-pack evidence; #1846 added npm registry signature gates; #1848 added the supply-chain incident-response playbook and `pull_request_target` cache-poisoning validator guard; #1851 added the privileged checkout credential-persistence guard; AgentShield #78, JARVIS #13, and ECC-Tools #53 applied the same hardening outside trunk | Current supply-chain gate complete; deeper hosted review features remain future | | Harness-agnostic learning system | Audit, adapter matrix, observability, traces, promotion loop | Audit/adapters/observability gates plus `docs/architecture/evaluator-rag-prototype.md`, `examples/evaluator-rag-prototype/`, and ECC-Tools PR #40 define read-only stale-salvage, billing-readiness, CI-failure-diagnosis, harness-config-quality, AgentShield policy-exception, skill-quality evidence, deep-analyzer evidence, and RAG/evaluator comparison scenarios with trace, report, playbook, verifier, and predictive-check artifacts; ECC-Tools PRs #68-#72 now turn that corpus into a deterministic PR check-run gate with cached hosted-output scoring, ranked retrieval candidates, a model prompt seed, a fail-closed hosted model-judge request contract, and opt-in live model execution behind strict hosted-evidence gates | Deterministic hosted PR check, cached output scoring, retrieval planning, judge contract, and gated model execution integrated | -| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; this May 16 sync adds ECC #1860, AgentShield #78-#91, JARVIS #13, ECC-Tools #53-#78, resolved queue/discussion counts, and a generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch | +| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; this May 16/17 sync adds ECC #1860, AgentShield #78-#92, JARVIS #13, ECC-Tools #53-#78, current queue/discussion counts, Japanese localization triage, and a generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch | | Flow separation and progress tracking | Flow lanes with owner artifacts and update cadence | This roadmap defines lanes below and `docs/architecture/progress-sync-contract.md` makes GitHub/Linear/handoff/roadmap sync part of the readiness gate | Active | | Realtime Linear sync | Project updates while issue limit is blocked; issues later | ECC-Tools #39 implements opt-in Linear API sync for deferred follow-up backlog items, and ECC-Tools #54 adds copy-ready PR drafts to that backlog when draft PR shells are not opened; `docs/architecture/progress-sync-contract.md` defines the local file-backed realtime boundary while issue capacity is blocked | Needs workspace capacity/config rollout | | Observability for self-use | Local readiness gate, traces, status snapshots, HUD/status contract, risk ledger, progress-sync contract | `npm run observability:ready` reports 21/21 | Complete for local gate | @@ -580,7 +591,7 @@ repo evidence and merge commits. | Release and publication | rc.1 release docs, publication readiness doc | Naming matrix and plugin submission/contact checklist | Before any tag | | Harness OS core | Audit, adapter matrix, observability docs, `ecc2/` | HUD/session-control acceptance spec | Weekly until GA | | Evaluation and RAG | Reference-set validation, harness audit, traces, ECC-Tools corpus | Read-only evaluator/RAG prototype plus stale-salvage, billing-readiness, CI-failure-diagnosis, harness-config-quality, AgentShield policy-exception, skill-quality evidence, deep-analyzer evidence, and RAG/evaluator comparison fixtures; ECC-Tools #68 publishes the corpus as a hosted promotion readiness check-run, #69 scores cached hosted job outputs against the same corpus, #70 emits ranked retrieval candidates plus a model prompt seed, #71 adds a fail-closed hosted model-judge request contract, and #72 executes that judge only when explicitly enabled and backed by hosted retrieval citations | Hosted promotion telemetry and operator review UX | -| AgentShield enterprise | AgentShield PR evidence and roadmap notes | Fleet routing landed in #89 after evidence-pack inspect/readback shipped in #88; #90 emits fleet `reviewItems`; #91 exports checksum-backed policy bundles; ECC-Tools #76 consumes fleet summaries, #77 surfaces source evidence paths in hosted findings, and #78 links fleet routes to harness owners | Workflow automation plus policy promotion/review UX | +| AgentShield enterprise | AgentShield PR evidence and roadmap notes | Fleet routing landed in #89 after evidence-pack inspect/readback shipped in #88; #90 emits fleet `reviewItems`; #91 exports checksum-backed policy bundles; #92 promotes checksum-verified policies from those bundles into active policy files; ECC-Tools #76 consumes fleet summaries, #77 surfaces source evidence paths in hosted findings, and #78 links fleet routes to harness owners | Workflow automation around protected rollout and richer runtime review UX | | ECC Tools app | ECC-Tools PR evidence, billing audit, risk taxonomy, evaluator/RAG corpus | ECC-Tools #53 published the supply-chain workflow hardening branch, #54 tracks copy-ready PR drafts in the Linear/project backlog, #55 classifies analysis-depth readiness, #56 exposes the hosted execution plan, #57 executes the first hosted CI diagnostics job, #58 executes the hosted security evidence review job, #59 executes the hosted harness compatibility audit, #60 executes the hosted reference-set evaluation, #61 executes the hosted AI routing/cost review, #62 executes hosted team backlog routing, #63 publishes the hosted depth-plan check-run, #64 dispatches hosted jobs from PR comments, #65 persists hosted result history/check-runs, #66 exposes hosted job status from PR comments, #67 makes depth-plan recommendations cache-aware, #68 publishes hosted promotion readiness from the evaluator/RAG corpus, #69 scores cached hosted job outputs against that corpus, #70 emits ranked retrieval candidates plus a model prompt seed, #71 emits the gated `hosted-promotion-judge.v1` contract without live model calls, #72 adds opt-in live model-judge execution behind hosted-evidence and strict JSON/citation gates, #73 adds a fail-closed native-payments `announcementGate` to billing readiness, #74 adds `npm run billing:announcement-gate` for operator verification, #75 tightens the billing announcement gate for live Marketplace readback, #76 routes AgentShield fleet-summary evidence into hosted security findings, #77 adds source evidence paths to hosted finding output, and #78 links AgentShield fleet target paths to hosted harness owner findings | Live Marketplace test-account readback, hosted promotion telemetry, and richer operator review UX | | Linear progress | Linear project status updates, `docs/architecture/progress-sync-contract.md`, generated `operator:dashboard` output, and this mirror | Status update with queue/evidence/missing gates | Every significant merge batch | @@ -811,8 +822,9 @@ Acceptance: AgentShield PR #90 emits fleet `reviewItems` with source evidence paths and owner-ready recommendations; AgentShield PR #91 exports checksum-backed policy bundles for branch-protection review and downstream policy - promotion. The next slice is workflow automation plus richer policy - promotion/review UX. + promotion; and AgentShield PR #92 promotes checksum-verified policy bundles + into active policy files with dry-run JSON review. The next slice is + workflow automation around protected rollout and richer runtime review UX. 2. Run ECC-Tools `/api/billing/readiness` against a Marketplace-managed test account and require `announcementGate.ready === true` before any native GitHub payments announcement. diff --git a/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-15.md b/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-15.md index 5e4097b2..fc28cc6a 100644 --- a/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-15.md +++ b/docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-15.md @@ -2,18 +2,18 @@ This dashboard is generated by `npm run operator:dashboard`. It is an operator snapshot, not release approval. -Generated: 2026-05-16T16:48:52.768Z -Commit: 610eb346d0183ef5e832e3ac6f9f6a61725578c1 +Generated: 2026-05-17T05:08:31.916Z +Commit: 6d130cfcd5d06b42c7eb30be8e109cfa87fde197 Status: work remaining ## Current Status | Area | Status | Evidence | | --- | --- | --- | -| PR queue | Current | 1 open PRs across tracked repos | -| Issue queue | Current | 2 open issues across tracked repos | +| PR queue | Current | 6 open PRs across tracked repos | +| Issue queue | Current | 3 open issues across tracked repos | | Discussions | Current | 0 need maintainer touch; 0 missing accepted answer | -| Local worktree | Current | 0 blocking dirty files; 1 ignored dirty entries | +| Local worktree | Needs work | 7 blocking dirty files; 1 ignored dirty entries | | Dashboard generation | Current | platform audit ready: true; GitHub skipped: false | | Publication | Not complete | release, npm, plugin, billing, and announcement gates are tracked below | @@ -21,15 +21,15 @@ Status: work remaining | Objective requirement | Artifact or gate | Status | Evidence | Gap | | --- | --- | --- | --- | --- | -| Keep public PRs below 20 | scripts/platform-audit.js live GitHub sweep | current | 1 open PRs across 5 tracked repos | repeat before release | -| Keep public issues below 20 | scripts/platform-audit.js live GitHub sweep | current | 2 open issues across 5 tracked repos | repeat before release | +| Keep public PRs below 20 | scripts/platform-audit.js live GitHub sweep | current | 6 open PRs across 5 tracked repos | repeat before release | +| Keep public issues below 20 | scripts/platform-audit.js live GitHub sweep | current | 3 open issues across 5 tracked repos | repeat before release | | Respond and manage repository discussions | scripts/platform-audit.js discussion summary | current | 0 need maintainer touch; 0 answerable discussions missing accepted answer | repeat before release | | Build ITO-44 completion dashboard into a repeatable command | npm run operator:dashboard | complete | operator:dashboard package script exists | keep generated dashboard attached to publication evidence | | ECC 2.0 preview pack ready | docs/releases/2.0.0-rc.1/preview-pack-manifest.md | in_progress | preview pack manifest is in-tree | final clean-checkout release approval and publish evidence still pending | | Include Hermes specialized skills safely | docs/HERMES-SETUP.md and skills/hermes-imports/SKILL.md | in_progress | Hermes setup and import skill are present | final preview-pack smoke and release review pending | | Prepare name-change, Claude plugin, and Codex plugin paths | naming-and-publication-matrix plus publication-readiness | in_progress | naming matrix and plugin readiness gates exist | real tag/push, marketplace submission, and final channel choice remain approval-gated | | Prepare release notes, articles, tweets, and push notifications | docs/releases/2.0.0-rc.1 social and release-copy files | in_progress | release notes, X thread, and LinkedIn draft are present | URL-backed refresh and publish approval still pending | -| Advance AgentShield enterprise iteration | AgentShield PR evidence plus enterprise roadmap | in_progress | AgentShield enterprise PR evidence is mirrored in the GA roadmap | workflow automation plus policy promotion/review UX pending after policy export shipped | +| Advance AgentShield enterprise iteration | AgentShield PR evidence plus enterprise roadmap | in_progress | AgentShield enterprise PR evidence is mirrored in the GA roadmap | workflow automation around protected rollout and richer runtime review UX pending after policy promotion shipped | | Advance ECC Tools native payments and AI-native harness-agnostic app | ECC Tools PR evidence, billing gate, hosted analysis lanes | in_progress | billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, and harness-route policy linking are mirrored in the GA roadmap | live Marketplace test-account readback, hosted promotion telemetry, and richer operator review UX pending | | Audit, prune, or attach legacy work | docs/stale-pr-salvage-ledger.md and legacy inventory | in_progress | legacy salvage ledger and ITO-55 tracking are present | final translation/manual-review tail remains | | Keep Linear roadmap detailed and progress tracking synchronized | Linear project mirror plus progress-sync contract | in_progress | repo mirror and progress-sync contract are present | recurring Linear status sync and productized realtime sync remain pending | @@ -42,7 +42,7 @@ Status: work remaining - `hermes-specialized-skills`: final preview-pack smoke and release review pending - `naming-and-plugin-publication`: real tag/push, marketplace submission, and final channel choice remain approval-gated - `release-notes-and-notifications`: URL-backed refresh and publish approval still pending -- `agentshield-enterprise-iteration`: workflow automation plus policy promotion/review UX pending after policy export shipped +- `agentshield-enterprise-iteration`: workflow automation around protected rollout and richer runtime review UX pending after policy promotion shipped - `ecc-tools-next-level`: live Marketplace test-account readback, hosted promotion telemetry, and richer operator review UX pending - `legacy-salvage`: final translation/manual-review tail remains - `linear-roadmap-and-progress`: recurring Linear status sync and productized realtime sync remain pending diff --git a/docs/releases/2.0.0-rc.1/preview-pack-manifest.md b/docs/releases/2.0.0-rc.1/preview-pack-manifest.md index bd5eb77a..74d92e25 100644 --- a/docs/releases/2.0.0-rc.1/preview-pack-manifest.md +++ b/docs/releases/2.0.0-rc.1/preview-pack-manifest.md @@ -21,7 +21,7 @@ surfaces, or posting announcements. | `docs/releases/2.0.0-rc.1/launch-checklist.md` | Operator launch checklist | Must remain approval-gated for release, package, plugin, and announcement actions | | `docs/releases/2.0.0-rc.1/publication-readiness.md` | Release gate | Requires fresh evidence from the exact release commit | | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-15.md` | Current May 15 queue, roadmap, security, supply-chain watch, no-lifecycle CI install hardening, AgentShield #86 evidence-pack provenance, ECC Tools billing-gate, Actions cache purge, and `ecc2` test evidence through PR #1941 | Must be superseded by a final clean-checkout evidence file before real publication | -| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` | Current May 16 queue cleanup, recsys skill merge, GateGuard triage, PR #1947 supply-chain protection, AgentShield #87 plugin-cache confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 policy export, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, dashboard refresh, and combined Node/Rust/release-surface gate evidence through the May 16 mirror | Must still be repeated from a strict clean checkout before real publication | +| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` | Current May 16/17 queue cleanup, recsys skill merge, GateGuard triage, PR #1947 supply-chain protection, AgentShield #87 plugin-cache confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 policy export, AgentShield #92 policy promotion, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, dashboard refresh, and combined Node/Rust/release-surface gate evidence through the May 16 mirror | Must still be repeated from a strict clean checkout before real publication | | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` | Naming, slug, and publication-path decision record | Keeps `Everything Claude Code / ECC`, npm `ecc-universal`, and plugin slug `ecc` for rc.1 | | `docs/releases/2.0.0-rc.1/x-thread.md` | X launch draft | Must replace placeholders with live URLs after release/package/plugin publication | | `docs/releases/2.0.0-rc.1/linkedin-post.md` | LinkedIn launch draft | Must replace placeholders with live URLs after release/package/plugin publication | diff --git a/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md index e4e88ea6..f14519eb 100644 --- a/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md +++ b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md @@ -9,7 +9,7 @@ npm publication, plugin tag, marketplace submission, or announcement post. | --- | --- | | Upstream main | `6bced468d76b269243a6f0bd28472853aa78e0e4` | | Git remote | `https://github.com/affaan-m/everything-claude-code.git` | -| Evidence scope | Current `main` after PR #1944, PR #1945, issue #1946 triage, PR #1947 supply-chain protection, AgentShield PR #87, AgentShield PR #88, AgentShield PR #89, AgentShield PR #90, AgentShield PR #91, ECC-Tools PR #76, ECC-Tools PR #77, ECC-Tools PR #78, ITO-57 sync, and operator dashboard refresh | +| Evidence scope | Current `main` after PR #1944, PR #1945, issue #1946 triage, PR #1947 supply-chain protection, AgentShield PR #87, AgentShield PR #88, AgentShield PR #89, AgentShield PR #90, AgentShield PR #91, AgentShield PR #92, ECC-Tools PR #76, ECC-Tools PR #77, ECC-Tools PR #78, Japanese localization triage, ITO-57 sync, and operator dashboard refresh | | Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/` | The actual release operator should repeat all publish-facing checks from the @@ -19,9 +19,9 @@ final release commit with a strictly clean checkout before publishing. | Surface | Command | Result | | --- | --- | --- | -| Trunk PRs | `gh pr list --state open --json number,title,url --limit 20` | `[]` | -| Trunk issues | `gh issue list --state open --json number,title,url --limit 20` | `[]` | -| Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; open PRs 0, open issues 0, discussion maintainer-touch gaps 0, discussion missing-answer gaps 0, blocking dirty files 0 | +| Trunk PRs | `gh pr list --state open --json number,title,url --limit 20` | 6 open PRs: Dependabot #1959-#1963 plus PR #1953, which remains open with changes requested for Japanese localization parity | +| Trunk issues | `gh issue list --state open --json number,title,url --limit 20` | 3 open issues: #1951 linked to held localization PR, plus #1957 and #1958 awaiting the next queue batch | +| Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; open PRs 6, open issues 3, discussion maintainer-touch gaps 0, discussion missing-answer gaps 0, blocking dirty files 0 on a clean checkout; current branch generation sees the mirror edits as local dirty work | | Operator dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | `dashboardReady: true`, `platformReady: true`, head `6bced468d76b269243a6f0bd28472853aa78e0e4` | ## Merge And Triage Batch @@ -37,11 +37,12 @@ final release commit with a strictly clean checkout before publishing. | AgentShield PR #89 | Merged evidence-pack fleet routing as `521ada9091bb6d818511ab8589ae675b920c106a`; `agentshield evidence-pack fleet [--json]` now aggregates multiple verified bundles into ready, security-blocker, policy-review, baseline-regression, supply-chain-review, and invalid routes with finding, policy, baseline, supply-chain, and remediation totals | | AgentShield PR #90 | Merged fleet review items as `6d1c57c92000541d65a3b6bc366f0322d7d0dacc`; `agentshield evidence-pack fleet --json` now emits `reviewItems` with route, severity, repository/target context, source evidence paths, reason, and owner-ready recommendation, and the text CLI prints a `Review items` block | | AgentShield PR #91 | Merged checksum-backed policy export as `73e1e3586dc4513a462e39c9799f75eea104e110`; `agentshield policy export` writes one JSON policy file per selected pack plus `manifest.json` with SHA-256 digests, and supports pack selection, repeated owners, name prefixes, and JSON output | +| AgentShield PR #92 | Merged checksum-verified policy promotion as `e7e259dc6212b63a8e03a253ca6b8c1e3c2abff7`; `agentshield policy promote` verifies the export manifest and selected policy digest, rejects tampered JSON, requires explicit pack selection for multi-pack manifests, supports dry-run JSON review, and writes the active policy only after verification | | ECC-Tools PR #76 | Merged AgentShield fleet-summary consumption as `5bde2328d15f584481fb6334e6960716dbf3e16f`; hosted `security-evidence-review` now recognizes `agentshield-evidence/fleet-summary.json`, classifies it as `evidence-pack-fleet`, routes invalid/security-blocker/policy/baseline/supply-chain fleet outcomes into hosted findings, and fails closed on malformed fleet JSON | | ECC-Tools PR #77 | Merged hosted finding source-evidence output as `31fd883b3f0cee135aee4839b01d34855b7867f6`; hosted job PR comments and check-run details now include an `Evidence` column with up to three source evidence paths per finding, including AgentShield fleet-derived findings | | ECC-Tools PR #78 | Merged AgentShield fleet-route harness review as `0d4eb949aa56f56da88e6654273a22ffb95983a1`; hosted `harness-compatibility-audit` now collects fleet summaries, maps route target paths to Claude/Codex/OpenCode/MCP/plugin harness owners, and emits owner-review findings with source evidence paths | | ITO-57 | Updated with PR #1947 advisory-source evidence, post-merge source refresh, IOC scan, npm audit/signature checks, and OpenAI app update caveat | -| ITO-49 | Updated with AgentShield PR #87, #88, #89, #90, and #91 merge evidence, local test evidence, CI status, live `~/.claude` scan classification counts, and local Mini Shai-Hulud protection scan results | +| ITO-49 | Updated with AgentShield PR #87, #88, #89, #90, #91, and #92 merge evidence, local test evidence, CI status, live `~/.claude` scan classification counts, local Mini Shai-Hulud protection scan results, and policy promotion validation | | ITO-50 | Updated with ECC-Tools PR #76, PR #77, and PR #78 merge evidence, hosted security review behavior, hosted finding evidence-path behavior, harness fleet-route owner-review behavior, local test evidence, and remote Verify/Security Audit/Workers build checks | | ITO-44 | Updated with queue cleanup, dashboard refresh, and remaining macro gaps | diff --git a/docs/releases/2.0.0-rc.1/publication-readiness.md b/docs/releases/2.0.0-rc.1/publication-readiness.md index 40a23274..9bfcb243 100644 --- a/docs/releases/2.0.0-rc.1/publication-readiness.md +++ b/docs/releases/2.0.0-rc.1/publication-readiness.md @@ -24,9 +24,10 @@ For the May 16 queue cleanup, recsys skill merge, GateGuard issue triage, AgentShield #87 plugin-cache runtime-confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 checksum-backed policy -export, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding -evidence paths, ECC-Tools #78 harness policy-route linking, operator dashboard -refresh, and combined final-gate rerun on current `main`, see +export, AgentShield #92 checksum-verified policy promotion, ECC-Tools #76 +fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, +ECC-Tools #78 harness policy-route linking, operator dashboard refresh, and +combined final-gate rerun on current `main`, see [`publication-evidence-2026-05-16.md`](publication-evidence-2026-05-16.md). For the operator-facing prompt-to-artifact readiness dashboard from the same May 16 pass, see diff --git a/scripts/operator-readiness-dashboard.js b/scripts/operator-readiness-dashboard.js index b2f48991..d6a7182f 100644 --- a/scripts/operator-readiness-dashboard.js +++ b/scripts/operator-readiness-dashboard.js @@ -254,7 +254,12 @@ function hasLegacySalvageTracking({ stalePrSalvage, legacyInventory, roadmap }) function hasAgentShieldEnterpriseTracking(roadmap) { return roadmap.includes('AgentShield Enterprise Iteration') && ( - roadmap.includes('#78-#91') + roadmap.includes('#78-#92') + || roadmap.includes('AgentShield PR #92') + || roadmap.includes('AgentShield #92') + || roadmap.includes('policy promote') + || roadmap.includes('checksum-verified policy promotion') + || roadmap.includes('#78-#91') || roadmap.includes('AgentShield PR #91') || roadmap.includes('AgentShield #91') || roadmap.includes('checksum-backed policy export') @@ -263,6 +268,14 @@ function hasAgentShieldEnterpriseTracking(roadmap) { } function agentShieldEnterpriseGap(roadmap) { + if (roadmap.includes('#78-#92') + || roadmap.includes('AgentShield PR #92') + || roadmap.includes('AgentShield #92') + || roadmap.includes('policy promote') + || roadmap.includes('checksum-verified policy promotion')) { + return 'workflow automation around protected rollout and richer runtime review UX pending after policy promotion shipped'; + } + return roadmap.includes('#78-#91') || roadmap.includes('AgentShield PR #91') || roadmap.includes('AgentShield #91') diff --git a/tests/scripts/operator-readiness-dashboard.test.js b/tests/scripts/operator-readiness-dashboard.test.js index 6ffc06d4..ec780cff 100644 --- a/tests/scripts/operator-readiness-dashboard.test.js +++ b/tests/scripts/operator-readiness-dashboard.test.js @@ -47,7 +47,7 @@ function seedRepo(rootDir, overrides = {}) { 'docs/ECC-2.0-GA-ROADMAP.md': [ 'https://linear.app/itomarkets/project/ecc-platform-roadmap-52b328ee03e1', 'Linear ITO-44 ITO-59', - 'AgentShield PR #91 #78-#91 checksum-backed policy export', + 'AgentShield PR #92 #78-#92 checksum-backed policy export policy promote checksum-verified policy promotion', 'AgentShield Enterprise Iteration', 'ECC-Tools PR #78', 'hosted promotion', @@ -186,7 +186,7 @@ function runTests() { assert.ok(report.requirements.some(item => item.id === 'ecc-tools-next-level' && item.status === 'in_progress')); assert.ok(report.requirements.some(item => ( item.id === 'agentshield-enterprise-iteration' - && item.gap === 'workflow automation plus policy promotion/review UX pending after policy export shipped' + && item.gap === 'workflow automation around protected rollout and richer runtime review UX pending after policy promotion shipped' ))); assert.ok(report.top_actions.some(item => item.id === 'naming-and-plugin-publication')); } finally { @@ -202,7 +202,7 @@ function runTests() { 'docs/ECC-2.0-GA-ROADMAP.md': [ 'https://linear.app/itomarkets/project/ecc-platform-roadmap-52b328ee03e1', 'Linear ITO-44 ITO-59', - 'AgentShield PR #91 #78-#91 checksum-backed policy export', + 'AgentShield PR #92 #78-#92 checksum-backed policy export policy promote checksum-verified policy promotion', 'AgentShield Enterprise Iteration', 'ECC-Tools PR #78', 'hosted promotion',