zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-18 14:53:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: add May 18 readiness evidence

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-17 22:19:00 -04:00
parent 3b7e0ba30a
commit ec171300c6
5 changed files with 150 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
docs/ECC-2.0-GA-ROADMAP.md
View File

@@ -14,15 +14,16 @@ execution truth is split across:
## Current Evidence
As of 2026-05-17:
As of 2026-05-18:
- GitHub queues are clean across `affaan-m/everything-claude-code`,
`affaan-m/agentshield`, `affaan-m/JARVIS`, `ECC-Tools/ECC-Tools`, and
`ECC-Tools/ECC-website`: the latest `platform-audit` sweep found 0 open PRs,
0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing
accepted answers, and 0 blocking dirty files when allowing the unrelated
local `docs/drafts/` directory. The May 17 queue batch merged #1961, #1963,
and #1953, closed/skipped incompatible #1962, and #1953 closed #1951.
local `docs/drafts/` directory. The May 18 sync also refreshed
`scripts/work-items.js sync-github` across all five tracked repos, leaving
no open or blocked local work items.
- GitHub discussions are current across those tracked repos:
`affaan-m/everything-claude-code` has 58 total discussions and 0 without
maintainer touch after May 15 maintainer updates on #73 and #1239; AgentShield,
@@ -32,21 +33,32 @@ As of 2026-05-17:
`ITO-59`) and five milestones: Security and Access Baseline, ECC 2.0 Preview
and Publication, AgentShield Enterprise Iteration, ECC Tools Next-Level
Platform, and Legacy Audit and Salvage.
- Linear live sync is current for the May 17 merge batch: ITO-57 has a new
supply-chain protection comment (`ca703b95-41a1-403e-9bc4-3d68edd4d4a3`),
and the ECC platform project has a new operator progress snapshot
(`6c4d1b92-95cf-4ea1-84fd-cbea36f24d1a`).
- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` records the
May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript
and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack
local protection recheck, npm audit/signature checks, current operator
dashboard, and GitHub CI success for `99dd6ac0`.
- `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md`
- Linear live sync is current for the May 18 merge and supply-chain batch:
ITO-57 has a new current-head supply-chain protection comment
(`0b9931b9-1556-4ebc-a70c-f3635557625d`), and the ECC platform project has
a new operator progress comment (`e32e5b7a-287b-4bf4-9ed7-314389a157e1`).
Linear project status updates are disabled in this workspace, so the project
comment is the supported external status surface.
- The latest May 18 merge batch on `main` includes PR #1970 workflow-security
validator bypass fixes, PR #1971 metrics bridge cost-reporting and warning
de-dup fixes, PR #1972 `uncloud` skill activation structure, and
`3b7e0ba3` catalog/operator dashboard refresh.
- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` records the
May 18 queue-zero state, current-head TanStack/Mini Shai-Hulud protection
recheck, no-lifecycle npm install, npm audit/signature checks, AgentShield
project `.claude` scan, Linear sync, work-items sync, operator dashboard
refresh, and current-head Supply-Chain Watch success for `3b7e0ba3`.
- `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md`
regenerates the ITO-44 prompt-to-artifact dashboard from live platform audit
evidence: PR queue, issue queue, discussion queue, local worktree gate,
dashboard generation, and supply-chain loop are current; publication, plugin,
billing, AgentShield, ECC Tools, legacy, and Linear/productized sync lanes
remain the next work.
- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` records the
May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript
and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack
local protection recheck, npm audit/signature checks, current operator
dashboard, and GitHub CI success for `99dd6ac0`.
- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` records the
queue, discussion, Linear roadmap, ECC Tools access, Mini Shai-Hulud/TanStack
full-campaign follow-up, scheduled supply-chain watch coverage, no-lifecycle
@@ -64,9 +76,13 @@ As of 2026-05-17:
- `npm run harness:audit -- --format json` reports 70/70 on current `main`.
- `npm run observability:ready` reports 21/21 readiness on current `main`,
including the GitHub/Linear/handoff/roadmap progress-sync contract.
- GitHub CI run `25983803011` completed successfully for
`99dd6ac0db20fce51713b6a1c92515d2453b769e`, including Validate Components,
- GitHub CI run `26009328404` completed successfully for
`3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including Validate Components,
Coverage, Lint, Security Scan, and the full Node/package-manager matrix.
- Supply-Chain Watch run `26009825837` completed successfully for
`3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including no-lifecycle install,
npm audit/signature verification, scanner fixtures, advisory-source
fixtures, IOC/advisory artifact generation, and workflow-security validation.
- PR #1846 merged as `797f283036904128bb1b348ae62019eb9f08cf39` and made
npm registry signature verification a durable workflow-security gate:
workflows that run `npm audit` now need `npm audit signatures`.
@@ -626,7 +642,7 @@ is not complete unless the evidence column exists and has been freshly verified.
| Manage repository discussions | Repo-family discussion recheck | Platform audit reports 0 discussion maintainer-touch gaps and 0 answerable Q&A missing accepted answers; trunk still has 58 total discussions | Complete |
| Manage PR discussions | PR review/comment closure plus merge/close state | ECC #1961, #1963, and #1953 merged after maintainer validation; no open tracked PRs remain | Complete |
| Salvage useful stale work | `docs/stale-pr-salvage-ledger.md` plus `docs/legacy-artifact-inventory.md` | Ledger records salvaged, superseded, skipped, and manual-review tails; #1815-#1818 added cost tracking, skill scout, frontend design guidance, code-reviewer false-positive guardrails, and the May 12 gap pass; #1687, #1609, #1563, #1564, and #1565 localization tails are attached to Linear ITO-55 for language-owner review and no automatic import remains release-blocking | Complete; repeat legacy scan before release |
| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 17 evidence records queue-zero state, localized docs merge, supply-chain recheck, lint/test/security gates, operator dashboard, and successful GitHub CI on `99dd6ac0` | Needs final clean-checkout release approval |
| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 18 evidence records queue-zero state, #1970/#1971/#1972 merge batch, supply-chain recheck, npm no-lifecycle install/audit/signature gates, Linear sync, operator dashboard, and successful current-head Supply-Chain Watch on `3b7e0ba3` | Needs final clean-checkout release approval |
| Hermes specialized skills included safely | Hermes setup/import docs and sanitized skill surface | Hermes setup and import playbook are public; secrets stay local | Needs final release review |
| Naming and rename readiness | Naming matrix across package/plugin/docs/social surfaces | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` records current package, repo, Claude plugin, Codex plugin, OpenCode, and npm availability evidence | Complete for rc.1; post-rc rename remains future work |
| Claude and Codex plugin publication | Contact/submission path with required artifacts and status | Publication readiness, naming matrix, and May 12 dry-run evidence document plugin validation, clean-checkout Claude tag/install smoke, and Codex marketplace CLI shape | Needs explicit approval for real tag/push and marketplace submission |
@@ -635,9 +651,9 @@ is not complete unless the evidence column exists and has been freshly verified.
| ECC Tools next-level app | Billing audit, PR checks, deep analyzer, sync backlog, evaluator/RAG corpus, analysis-depth readiness, hosted execution planning, hosted CI diagnostics, hosted security evidence review, hosted harness compatibility audit, hosted reference-set evaluation, hosted AI routing/cost review, hosted team backlog routing, hosted depth-plan check-run, PR-comment hosted job dispatch, hosted job result history/check-runs, hosted result status command, status-aware depth-plan recommendations, hosted promotion readiness, hosted promotion output scoring, hosted promotion retrieval planning, hosted promotion judge contract, gated hosted promotion judge execution, hosted promotion judge audit trace, payment-announcement readiness, billing announcement preflight, production Marketplace readback state, AgentShield fleet-summary hosted routing, hosted finding source-evidence surfacing, harness policy-route review, policy-promotion Action-output hosted telemetry, and operator-visible promotion output values | PRs #26-#43 plus #53-#78 landed with test evidence, including AgentShield evidence-pack gap routing, canonical bundle recognition, supply-chain signature gates, PR draft follow-up Linear tracking, evidence-backed/deep-ready repository classification, the `/api/analysis/depth-plan` hosted job plan, `/api/analysis/jobs/ci-diagnostics`, `/api/analysis/jobs/security-evidence-review`, `/api/analysis/jobs/harness-compatibility-audit`, `/api/analysis/jobs/reference-set-evaluation`, `/api/analysis/jobs/ai-routing-cost-review`, `/api/analysis/jobs/team-backlog-routing`, the `ECC Tools / Hosted Depth Plan` check-run, `/ecc-tools analyze --job ...` PR-comment dispatch, non-blocking per-hosted-job result check-runs backed by 30-day result cache records, `/ecc-tools analyze --job status` cache lookup, cache-aware next-job recommendations in the depth-plan check-run, the `ECC Tools / Hosted Promotion Readiness` corpus-backed PR check-run, deterministic hosted-output scoring against cached completed job artifacts/findings, ranked retrieval/model-prompt planning, the fail-closed `hosted-promotion-judge.v1` request contract, opt-in live model-judge execution behind hosted evidence, entitlement, budget, provider, executor, strict JSON, and citation gates, hosted promotion judge request fingerprints plus allowed-citation audit trails, a fail-closed `/api/billing/readiness` `announcementGate` for native GitHub payments claims, `npm run billing:announcement-gate` plus `--preflight` as the non-secret operator verifier, hosted security findings for AgentShield fleet summaries, an `Evidence` column in hosted finding comments/check-runs, hosted harness findings that route AgentShield fleet target paths to harness owners, ECC-Tools commit `8658951` routing AgentShield policy-promotion Action outputs into hosted security review and promotion-readiness scoring, ECC-Tools commit `16c537f` rendering policy-promotion status/pack/count/digest values directly in hosted security job comments/check-runs, ECC-Tools commit `05d4e82` rendering model-judge audit traces without exposing raw provider output, ECC-Tools commit `91a441b` adding the safe billing announcement preflight path, and ECC-Tools commit `eb69412` recording that production has no Marketplace billing-state KV records yet | Next work is complete Marketplace purchase/webhook readback, then run the live announcement gate |
| GitGuardian/Dependabot/CodeRabbit-style checks | Non-blocking taxonomy, deterministic follow-up checks, and local supply-chain gates | ECC-Tools risk taxonomy check plus follow-up signals landed, including Skill Quality, Deep Analyzer Evidence, Analyzer Corpus Evidence, RAG/Evaluator Evidence, PR Review/Salvage Evidence, and AgentShield evidence-pack evidence; #1846 added npm registry signature gates; #1848 added the supply-chain incident-response playbook and `pull_request_target` cache-poisoning validator guard; #1851 added the privileged checkout credential-persistence guard; AgentShield #78, JARVIS #13, and ECC-Tools #53 applied the same hardening outside trunk | Current supply-chain gate complete; deeper hosted review features remain future |
| Harness-agnostic learning system | Audit, adapter matrix, observability, traces, promotion loop | Audit/adapters/observability gates plus `docs/architecture/evaluator-rag-prototype.md`, `examples/evaluator-rag-prototype/`, and ECC-Tools PR #40 define read-only stale-salvage, billing-readiness, CI-failure-diagnosis, harness-config-quality, AgentShield policy-exception, skill-quality evidence, deep-analyzer evidence, and RAG/evaluator comparison scenarios with trace, report, playbook, verifier, and predictive-check artifacts; ECC-Tools PRs #68-#72 now turn that corpus into a deterministic PR check-run gate with cached hosted-output scoring, ranked retrieval candidates, a model prompt seed, a fail-closed hosted model-judge request contract, and opt-in live model execution behind strict hosted-evidence gates | Deterministic hosted PR check, cached output scoring, retrieval planning, judge contract, and gated model execution integrated |
| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; the May 17 sync adds the queue-zero batch, Japanese localization merge, ITO-57 live supply-chain refresh comment, ECC platform project progress snapshot, and generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch |
| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; the May 18 sync adds queue-zero/work-items state, #1970/#1971/#1972 merge evidence, ITO-57 current-head supply-chain refresh comment `0b9931b9-1556-4ebc-a70c-f3635557625d`, ECC platform progress comment `e32e5b7a-287b-4bf4-9ed7-314389a157e1`, and generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch |
| Flow separation and progress tracking | Flow lanes with owner artifacts and update cadence | This roadmap defines lanes below and `docs/architecture/progress-sync-contract.md` makes GitHub/Linear/handoff/roadmap sync part of the readiness gate | Active |
| Realtime Linear sync | Project updates while issue limit is blocked; issues later | ECC-Tools #39 implements opt-in Linear API sync for deferred follow-up backlog items, and ECC-Tools #54 adds copy-ready PR drafts to that backlog when draft PR shells are not opened; `docs/architecture/progress-sync-contract.md` defines the local file-backed realtime boundary while issue capacity is blocked; May 17 live connector comments were posted to ITO-57 and the ECC platform project | Needs workspace capacity/config rollout for productized issue sync |
| Realtime Linear sync | Project comments while issue/status capacity is blocked; issues later | ECC-Tools #39 implements opt-in Linear API sync for deferred follow-up backlog items, and ECC-Tools #54 adds copy-ready PR drafts to that backlog when draft PR shells are not opened; `docs/architecture/progress-sync-contract.md` defines the local file-backed realtime boundary while issue capacity is blocked; May 18 live connector comments were posted to ITO-57 and the ECC platform project after project status updates returned disabled | Needs workspace capacity/config rollout for productized issue sync |
| Observability for self-use | Local readiness gate, traces, status snapshots, HUD/status contract, risk ledger, progress-sync contract | `npm run observability:ready` reports 21/21 | Complete for local gate |
| Proper release and notifications | Release tag, npm publish state, plugin state, social posts | Publication readiness gate exists with May 12 dry-run and May 13 readiness evidence | Not complete; approval/live URLs required |

6
docs/releases/2.0.0-rc.1/preview-pack-manifest.md
View File

@@ -23,8 +23,10 @@ surfaces, or posting announcements.
| `docs/releases/2.0.0-rc.1/publication-readiness.md` | Release gate | Requires fresh evidence from the exact release commit |
| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-15.md` | Current May 15 queue, roadmap, security, supply-chain watch, no-lifecycle CI install hardening, AgentShield #86 evidence-pack provenance, ECC Tools billing-gate, Actions cache purge, and `ecc2` test evidence through PR #1941 | Must be superseded by a final clean-checkout evidence file before real publication |
| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` | Current May 16/17 queue cleanup, recsys skill merge, GateGuard triage, PR #1947 supply-chain protection, AgentShield #87 plugin-cache confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 policy export, AgentShield #92 policy promotion, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, dashboard refresh, and combined Node/Rust/release-surface gate evidence through the May 16 mirror | Must still be repeated from a strict clean checkout before real publication |
| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | Current May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication |
| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open |
| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Superseded by the May 18 evidence snapshot; repeat from a strict clean checkout before real publication |
| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` | Current May 18 queue-zero state, #1970/#1971/#1972 merge batch, current-head Mini Shai-Hulud/TanStack protection recheck, no-lifecycle install, npm audit/signature checks, AgentShield project `.claude` scan, work-items sync, Linear sync, operator dashboard refresh, and Supply-Chain Watch success for `3b7e0ba3` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication |
| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Previous prompt-to-artifact operator dashboard | Superseded by the May 18 generated dashboard |
| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open |
| `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` | Naming, slug, and publication-path decision record | Keeps `Everything Claude Code / ECC`, npm `ecc-universal`, and plugin slug `ecc` for rc.1 |
| `docs/releases/2.0.0-rc.1/x-thread.md` | X launch draft | Must replace placeholders with live URLs after release/package/plugin publication |
| `docs/releases/2.0.0-rc.1/linkedin-post.md` | LinkedIn launch draft | Must replace placeholders with live URLs after release/package/plugin publication |

95
docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md Normal file
View File

@@ -0,0 +1,95 @@
# ECC v2.0.0-rc.1 Publication Evidence - 2026-05-18
This is release-readiness evidence only. It does not create a GitHub release,
npm publication, plugin tag, marketplace submission, or announcement post.
## Source Commit
| Field | Evidence |
| --- | --- |
| Upstream main | `3b7e0ba30a027ffd3319c2f145c63076c296d80a` |
| Git remote | `https://github.com/affaan-m/everything-claude-code.git` |
| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, catalog/operator dashboard refresh, Mini Shai-Hulud/TanStack protection recheck, current-head Supply-Chain Watch, work-items sync, and Linear progress sync |
| Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/`; generated evidence files are committed after the source snapshot they describe |
The actual release operator should repeat all publish-facing checks from the
final release commit with a strictly clean checkout before publishing.
## Queue And Discussion State
| Surface | Command | Result |
| --- | --- | --- |
| Trunk PRs | `gh pr list --limit 100 --json number,title,state,author,updatedAt,url` | 0 open PRs |
| Trunk issues | `gh issue list --limit 100 --json number,title,state,updatedAt,url,labels` | 0 open issues |
| Discussion audit | `npm run discussion:audit -- --json` | Ready; 58 sampled discussions in `affaan-m/everything-claude-code`, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors |
| Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files |
| Work-items sync | `node scripts/work-items.js sync-github --repo <tracked-repo>` for five tracked repos; `node scripts/status.js --json`; `node scripts/work-items.js list --json` | All five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items |
| Operator dashboard | `npm run operator:dashboard -- --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `3b7e0ba30a027ffd3319c2f145c63076c296d80a`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated |
Tracked repositories in the platform audit and work-items sync were:
- `affaan-m/everything-claude-code`
- `affaan-m/agentshield`
- `affaan-m/JARVIS`
- `ECC-Tools/ECC-Tools`
- `ECC-Tools/ECC-website`
## Merge And Triage Batch
| Item | Result |
| --- | --- |
| PR #1970 | Merged workflow-security validator fixes for quoted `write-all` and `refs/pull/*` checkout bypasses; main includes `e06d0382` and `7bb31720` from that slice |
| PR #1971 | Merged metrics bridge cost-reporting fixes, full costs-file scan behavior, and persistent warning de-duplication across hook subprocesses; main includes commits through `9b1d8918` |
| PR #1972 | Merged `skills/uncloud/SKILL.md` with activation structure and uncloud command references; main includes `8b6aed0`, `2e5f30f`, and `caee7cf` |
| Catalog/operator refresh | Pushed `3b7e0ba3` to refresh generated catalog count and operator dashboard state after #1972 |
| Public queues | Rechecked after the merge batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos |
## Supply-Chain And Security Evidence
| Gate | Command | Result |
| --- | --- | --- |
| Repo IOC scan | `npm run security:ioc-scan` | Passed; 198 files inspected |
| Home persistence IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home --json` | Passed; 200 files inspected; `findings: []` |
| Narrow active persistence sweep | Targeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, `/tmp`, and `/private/tmp` campaign paths | Existing active targets: 2; no campaign marker hits |
| Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 18 passed, 0 failed |
| Advisory source refresh | `node scripts/ci/supply-chain-advisory-sources.js --refresh --json` | Ready with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK |
| No-lifecycle install | `npm ci --ignore-scripts` | Completed cleanly; 213 packages installed, 0 vulnerabilities |
| npm audit | `npm audit --audit-level=high` | 0 vulnerabilities |
| npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations |
| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files |
| AgentShield project scan | `npx --no-install ecc-agentshield scan --format json` | Grade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings |
| Current-head Supply-Chain Watch | `gh workflow run supply-chain-watch.yml --ref main`; `gh run watch 26009825837 --exit-status` | Completed successfully for `3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including no-lifecycle install, npm audit/signature verification, scanner fixtures, advisory source fixtures, IOC/advisory report generation, workflow-security validation, and artifact upload |
## Linear Progress Sync
| Surface | Evidence |
| --- | --- |
| ITO-57 issue comment | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972 merge evidence, supply-chain verification, current-head watch URL, deferred gates, and next slices |
| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, and remaining-gate state at the project level |
| Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface |
## Current Publication Blockers
- GitHub prerelease `v2.0.0-rc.1` is still not created in this pass.
- npm `ecc-universal@2.0.0-rc.1` is still not published to the `next`
dist-tag.
- Claude plugin tag and marketplace propagation remain approval-gated.
- Codex repo-marketplace distribution is verified for rc.1, but official
Plugin Directory publishing remains blocked on OpenAI's self-serve publishing
surface.
- ECC Tools billing/native-payments copy remains blocked until a Marketplace
purchase/webhook path writes production `account-billing:*` and
`billing-state:*` records, then `npm run billing:announcement-gate --
--account <github-login>` returns an announcement-ready gate.
- Release notes, X, LinkedIn, GitHub release, and longform copy still need final
live URLs after release/package/plugin URLs exist.
- The local checkout still has unrelated untracked `docs/drafts/`, so a strict
clean-checkout release pass remains required before real publication.
## Result
The tracked public PR queue, issue queue, discussion queue, local work-items
bridge, and Mini Shai-Hulud/TanStack protection loop are current on
May 18, 2026 for `3b7e0ba3`. This improves publication readiness but does not
replace the approval-gated release, package, plugin, billing, and announcement
steps in `publication-readiness.md`.

12
docs/releases/2.0.0-rc.1/publication-readiness.md
View File

@@ -35,11 +35,19 @@ Shai-Hulud/TanStack local protection recheck, legacy-tail and Linear progress
routing, deterministic preview-pack smoke gate, and current operator dashboard
refresh, see
[`publication-evidence-2026-05-17.md`](publication-evidence-2026-05-17.md).
For the May 18 current-head queue, workflow-security/metrics/uncloud merge
batch, Mini Shai-Hulud/TanStack local and home protection recheck, npm
no-lifecycle install/audit/signature gates, AgentShield project scan,
work-items sync, Linear progress comments, operator dashboard refresh, and
current-head Supply-Chain Watch, see
[`publication-evidence-2026-05-18.md`](publication-evidence-2026-05-18.md).
For the operator-facing prompt-to-artifact readiness dashboard from the same
May 16 pass, see
[`operator-readiness-dashboard-2026-05-15.md`](operator-readiness-dashboard-2026-05-15.md).
For the May 17 operator dashboard refresh, see
[`operator-readiness-dashboard-2026-05-17.md`](operator-readiness-dashboard-2026-05-17.md).
For the May 18 operator dashboard refresh, see
[`operator-readiness-dashboard-2026-05-18.md`](operator-readiness-dashboard-2026-05-18.md).
## Release Identity Matrix
@@ -84,7 +92,7 @@ Record the exact commit SHA and command output before any publication action:
| Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `publication-evidence-2026-05-16.md`: PASS, 11 adapters |
| Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-17.md`: 21/21, ready yes |
| Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | `publication-evidence-2026-05-13-post-hardening.md`: Release Safety 3/3 |
| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-17.md`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, supply-chain IOC scan clean |
| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, current-head Supply-Chain Watch passed |
| Root suite | `node tests/run-all.js` | 0 failures | `publication-evidence-2026-05-17.md`: `npm test` passed 2487/2487, 0 failed |
| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | `publication-evidence-2026-05-17.md`: passed after ja-JP autonomous-loop anchor repair |
| Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures; no Python bytecode in npm tarball | `2/2` passed in May 12 evidence pass |
@@ -93,7 +101,7 @@ Record the exact commit SHA and command output before any publication action:
| Queue baseline | `gh pr list` / `gh issue list` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `publication-evidence-2026-05-17.md`: platform audit ready, 0 open PRs and 0 open issues across checked repos |
| Discussion baseline | `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `publication-evidence-2026-05-15.md`: 58 trunk discussions, 0 without maintainer touch; other tracked repos disabled or 0 |
| Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | `publication-evidence-2026-05-15.md`: project and 16 issue lanes recorded |
| Operator readiness dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `publication-evidence-2026-05-17.md`: generated from `27dc2918`, platform ready true, dashboard ready true, 0 open PRs, 0 open issues, 0 discussion gaps |
| Operator readiness dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `publication-evidence-2026-05-18.md`: generated from `3b7e0ba3`, platform ready true, dashboard ready true, 0 open PRs, 0 open issues, 0 discussion gaps |
## Do Not Publish If

12
scripts/operator-readiness-dashboard.js
View File

@@ -372,7 +372,7 @@ function eccToolsNextLevelGap(roadmap) {
function supplyChainLocalProtectionEvidence({ roadmap, scripts }) {
if (scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js'
&& roadmap.includes('package-manager hardening Action outputs')) {
return 'scheduled supply-chain watch emits IOC/advisory-source refresh artifacts; ECC scanner covers gh-token-monitor token-store persistence; AgentShield now detects known AI-tool persistence IOCs, npm lifecycle/token drift, unsupported npm age-key drift, and pnpm/Yarn cooldown drift; ITO-57 has May 17 Linear evidence updates';
return 'scheduled supply-chain watch emits IOC/advisory-source refresh artifacts; ECC scanner covers gh-token-monitor token-store persistence; AgentShield now detects known AI-tool persistence IOCs, npm lifecycle/token drift, unsupported npm age-key drift, and pnpm/Yarn cooldown drift; current-head watch evidence and ITO-57 May 18 Linear evidence updates are current';
}
return scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js'
@@ -390,10 +390,12 @@ function supplyChainLocalProtectionGap({ roadmap, scripts }) {
}
function hasCurrentLinearProgressSync({ roadmap, progressSync }) {
return includesAll(roadmap, [
'Linear live sync is current',
'operator progress snapshot',
]) && includesAll(progressSync, [
const hasOperatorProgressSurface = roadmap.includes('operator progress snapshot')
|| roadmap.includes('operator progress comment');
return roadmap.includes('Linear live sync is current')
&& hasOperatorProgressSurface
&& includesAll(progressSync, [
'node scripts/work-items.js sync-github --repo <owner/repo>',
'node scripts/status.js --json',
'Linear remains the external status surface',