From ec171300c65f6ef3ce8d8acb97f9caf39abb2682 Mon Sep 17 00:00:00 2001 From: Affaan Mustafa Date: Sun, 17 May 2026 22:19:00 -0400 Subject: [PATCH] docs: add May 18 readiness evidence --- docs/ECC-2.0-GA-ROADMAP.md | 52 ++++++---- .../2.0.0-rc.1/preview-pack-manifest.md | 6 +- .../publication-evidence-2026-05-18.md | 95 +++++++++++++++++++ .../2.0.0-rc.1/publication-readiness.md | 12 ++- scripts/operator-readiness-dashboard.js | 12 ++- 5 files changed, 150 insertions(+), 27 deletions(-) create mode 100644 docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md diff --git a/docs/ECC-2.0-GA-ROADMAP.md b/docs/ECC-2.0-GA-ROADMAP.md index 81756308..14eb653e 100644 --- a/docs/ECC-2.0-GA-ROADMAP.md +++ b/docs/ECC-2.0-GA-ROADMAP.md @@ -14,15 +14,16 @@ execution truth is split across: ## Current Evidence -As of 2026-05-17: +As of 2026-05-18: - GitHub queues are clean across `affaan-m/everything-claude-code`, `affaan-m/agentshield`, `affaan-m/JARVIS`, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website`: the latest `platform-audit` sweep found 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files when allowing the unrelated - local `docs/drafts/` directory. The May 17 queue batch merged #1961, #1963, - and #1953, closed/skipped incompatible #1962, and #1953 closed #1951. + local `docs/drafts/` directory. The May 18 sync also refreshed + `scripts/work-items.js sync-github` across all five tracked repos, leaving + no open or blocked local work items. - GitHub discussions are current across those tracked repos: `affaan-m/everything-claude-code` has 58 total discussions and 0 without maintainer touch after May 15 maintainer updates on #73 and #1239; AgentShield, @@ -32,21 +33,32 @@ As of 2026-05-17: `ITO-59`) and five milestones: Security and Access Baseline, ECC 2.0 Preview and Publication, AgentShield Enterprise Iteration, ECC Tools Next-Level Platform, and Legacy Audit and Salvage. -- Linear live sync is current for the May 17 merge batch: ITO-57 has a new - supply-chain protection comment (`ca703b95-41a1-403e-9bc4-3d68edd4d4a3`), - and the ECC platform project has a new operator progress snapshot - (`6c4d1b92-95cf-4ea1-84fd-cbea36f24d1a`). -- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` records the - May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript - and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack - local protection recheck, npm audit/signature checks, current operator - dashboard, and GitHub CI success for `99dd6ac0`. -- `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` +- Linear live sync is current for the May 18 merge and supply-chain batch: + ITO-57 has a new current-head supply-chain protection comment + (`0b9931b9-1556-4ebc-a70c-f3635557625d`), and the ECC platform project has + a new operator progress comment (`e32e5b7a-287b-4bf4-9ed7-314389a157e1`). + Linear project status updates are disabled in this workspace, so the project + comment is the supported external status surface. +- The latest May 18 merge batch on `main` includes PR #1970 workflow-security + validator bypass fixes, PR #1971 metrics bridge cost-reporting and warning + de-dup fixes, PR #1972 `uncloud` skill activation structure, and + `3b7e0ba3` catalog/operator dashboard refresh. +- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` records the + May 18 queue-zero state, current-head TanStack/Mini Shai-Hulud protection + recheck, no-lifecycle npm install, npm audit/signature checks, AgentShield + project `.claude` scan, Linear sync, work-items sync, operator dashboard + refresh, and current-head Supply-Chain Watch success for `3b7e0ba3`. +- `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` regenerates the ITO-44 prompt-to-artifact dashboard from live platform audit evidence: PR queue, issue queue, discussion queue, local worktree gate, dashboard generation, and supply-chain loop are current; publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear/productized sync lanes remain the next work. +- `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` records the + May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript + and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack + local protection recheck, npm audit/signature checks, current operator + dashboard, and GitHub CI success for `99dd6ac0`. - `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` records the queue, discussion, Linear roadmap, ECC Tools access, Mini Shai-Hulud/TanStack full-campaign follow-up, scheduled supply-chain watch coverage, no-lifecycle @@ -64,9 +76,13 @@ As of 2026-05-17: - `npm run harness:audit -- --format json` reports 70/70 on current `main`. - `npm run observability:ready` reports 21/21 readiness on current `main`, including the GitHub/Linear/handoff/roadmap progress-sync contract. -- GitHub CI run `25983803011` completed successfully for - `99dd6ac0db20fce51713b6a1c92515d2453b769e`, including Validate Components, +- GitHub CI run `26009328404` completed successfully for + `3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including Validate Components, Coverage, Lint, Security Scan, and the full Node/package-manager matrix. +- Supply-Chain Watch run `26009825837` completed successfully for + `3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including no-lifecycle install, + npm audit/signature verification, scanner fixtures, advisory-source + fixtures, IOC/advisory artifact generation, and workflow-security validation. - PR #1846 merged as `797f283036904128bb1b348ae62019eb9f08cf39` and made npm registry signature verification a durable workflow-security gate: workflows that run `npm audit` now need `npm audit signatures`. @@ -626,7 +642,7 @@ is not complete unless the evidence column exists and has been freshly verified. | Manage repository discussions | Repo-family discussion recheck | Platform audit reports 0 discussion maintainer-touch gaps and 0 answerable Q&A missing accepted answers; trunk still has 58 total discussions | Complete | | Manage PR discussions | PR review/comment closure plus merge/close state | ECC #1961, #1963, and #1953 merged after maintainer validation; no open tracked PRs remain | Complete | | Salvage useful stale work | `docs/stale-pr-salvage-ledger.md` plus `docs/legacy-artifact-inventory.md` | Ledger records salvaged, superseded, skipped, and manual-review tails; #1815-#1818 added cost tracking, skill scout, frontend design guidance, code-reviewer false-positive guardrails, and the May 12 gap pass; #1687, #1609, #1563, #1564, and #1565 localization tails are attached to Linear ITO-55 for language-owner review and no automatic import remains release-blocking | Complete; repeat legacy scan before release | -| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 17 evidence records queue-zero state, localized docs merge, supply-chain recheck, lint/test/security gates, operator dashboard, and successful GitHub CI on `99dd6ac0` | Needs final clean-checkout release approval | +| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 18 evidence records queue-zero state, #1970/#1971/#1972 merge batch, supply-chain recheck, npm no-lifecycle install/audit/signature gates, Linear sync, operator dashboard, and successful current-head Supply-Chain Watch on `3b7e0ba3` | Needs final clean-checkout release approval | | Hermes specialized skills included safely | Hermes setup/import docs and sanitized skill surface | Hermes setup and import playbook are public; secrets stay local | Needs final release review | | Naming and rename readiness | Naming matrix across package/plugin/docs/social surfaces | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` records current package, repo, Claude plugin, Codex plugin, OpenCode, and npm availability evidence | Complete for rc.1; post-rc rename remains future work | | Claude and Codex plugin publication | Contact/submission path with required artifacts and status | Publication readiness, naming matrix, and May 12 dry-run evidence document plugin validation, clean-checkout Claude tag/install smoke, and Codex marketplace CLI shape | Needs explicit approval for real tag/push and marketplace submission | @@ -635,9 +651,9 @@ is not complete unless the evidence column exists and has been freshly verified. | ECC Tools next-level app | Billing audit, PR checks, deep analyzer, sync backlog, evaluator/RAG corpus, analysis-depth readiness, hosted execution planning, hosted CI diagnostics, hosted security evidence review, hosted harness compatibility audit, hosted reference-set evaluation, hosted AI routing/cost review, hosted team backlog routing, hosted depth-plan check-run, PR-comment hosted job dispatch, hosted job result history/check-runs, hosted result status command, status-aware depth-plan recommendations, hosted promotion readiness, hosted promotion output scoring, hosted promotion retrieval planning, hosted promotion judge contract, gated hosted promotion judge execution, hosted promotion judge audit trace, payment-announcement readiness, billing announcement preflight, production Marketplace readback state, AgentShield fleet-summary hosted routing, hosted finding source-evidence surfacing, harness policy-route review, policy-promotion Action-output hosted telemetry, and operator-visible promotion output values | PRs #26-#43 plus #53-#78 landed with test evidence, including AgentShield evidence-pack gap routing, canonical bundle recognition, supply-chain signature gates, PR draft follow-up Linear tracking, evidence-backed/deep-ready repository classification, the `/api/analysis/depth-plan` hosted job plan, `/api/analysis/jobs/ci-diagnostics`, `/api/analysis/jobs/security-evidence-review`, `/api/analysis/jobs/harness-compatibility-audit`, `/api/analysis/jobs/reference-set-evaluation`, `/api/analysis/jobs/ai-routing-cost-review`, `/api/analysis/jobs/team-backlog-routing`, the `ECC Tools / Hosted Depth Plan` check-run, `/ecc-tools analyze --job ...` PR-comment dispatch, non-blocking per-hosted-job result check-runs backed by 30-day result cache records, `/ecc-tools analyze --job status` cache lookup, cache-aware next-job recommendations in the depth-plan check-run, the `ECC Tools / Hosted Promotion Readiness` corpus-backed PR check-run, deterministic hosted-output scoring against cached completed job artifacts/findings, ranked retrieval/model-prompt planning, the fail-closed `hosted-promotion-judge.v1` request contract, opt-in live model-judge execution behind hosted evidence, entitlement, budget, provider, executor, strict JSON, and citation gates, hosted promotion judge request fingerprints plus allowed-citation audit trails, a fail-closed `/api/billing/readiness` `announcementGate` for native GitHub payments claims, `npm run billing:announcement-gate` plus `--preflight` as the non-secret operator verifier, hosted security findings for AgentShield fleet summaries, an `Evidence` column in hosted finding comments/check-runs, hosted harness findings that route AgentShield fleet target paths to harness owners, ECC-Tools commit `8658951` routing AgentShield policy-promotion Action outputs into hosted security review and promotion-readiness scoring, ECC-Tools commit `16c537f` rendering policy-promotion status/pack/count/digest values directly in hosted security job comments/check-runs, ECC-Tools commit `05d4e82` rendering model-judge audit traces without exposing raw provider output, ECC-Tools commit `91a441b` adding the safe billing announcement preflight path, and ECC-Tools commit `eb69412` recording that production has no Marketplace billing-state KV records yet | Next work is complete Marketplace purchase/webhook readback, then run the live announcement gate | | GitGuardian/Dependabot/CodeRabbit-style checks | Non-blocking taxonomy, deterministic follow-up checks, and local supply-chain gates | ECC-Tools risk taxonomy check plus follow-up signals landed, including Skill Quality, Deep Analyzer Evidence, Analyzer Corpus Evidence, RAG/Evaluator Evidence, PR Review/Salvage Evidence, and AgentShield evidence-pack evidence; #1846 added npm registry signature gates; #1848 added the supply-chain incident-response playbook and `pull_request_target` cache-poisoning validator guard; #1851 added the privileged checkout credential-persistence guard; AgentShield #78, JARVIS #13, and ECC-Tools #53 applied the same hardening outside trunk | Current supply-chain gate complete; deeper hosted review features remain future | | Harness-agnostic learning system | Audit, adapter matrix, observability, traces, promotion loop | Audit/adapters/observability gates plus `docs/architecture/evaluator-rag-prototype.md`, `examples/evaluator-rag-prototype/`, and ECC-Tools PR #40 define read-only stale-salvage, billing-readiness, CI-failure-diagnosis, harness-config-quality, AgentShield policy-exception, skill-quality evidence, deep-analyzer evidence, and RAG/evaluator comparison scenarios with trace, report, playbook, verifier, and predictive-check artifacts; ECC-Tools PRs #68-#72 now turn that corpus into a deterministic PR check-run gate with cached hosted-output scoring, ranked retrieval candidates, a model prompt seed, a fail-closed hosted model-judge request contract, and opt-in live model execution behind strict hosted-evidence gates | Deterministic hosted PR check, cached output scoring, retrieval planning, judge contract, and gated model execution integrated | -| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; the May 17 sync adds the queue-zero batch, Japanese localization merge, ITO-57 live supply-chain refresh comment, ECC platform project progress snapshot, and generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch | +| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; the May 18 sync adds queue-zero/work-items state, #1970/#1971/#1972 merge evidence, ITO-57 current-head supply-chain refresh comment `0b9931b9-1556-4ebc-a70c-f3635557625d`, ECC platform progress comment `e32e5b7a-287b-4bf4-9ed7-314389a157e1`, and generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch | | Flow separation and progress tracking | Flow lanes with owner artifacts and update cadence | This roadmap defines lanes below and `docs/architecture/progress-sync-contract.md` makes GitHub/Linear/handoff/roadmap sync part of the readiness gate | Active | -| Realtime Linear sync | Project updates while issue limit is blocked; issues later | ECC-Tools #39 implements opt-in Linear API sync for deferred follow-up backlog items, and ECC-Tools #54 adds copy-ready PR drafts to that backlog when draft PR shells are not opened; `docs/architecture/progress-sync-contract.md` defines the local file-backed realtime boundary while issue capacity is blocked; May 17 live connector comments were posted to ITO-57 and the ECC platform project | Needs workspace capacity/config rollout for productized issue sync | +| Realtime Linear sync | Project comments while issue/status capacity is blocked; issues later | ECC-Tools #39 implements opt-in Linear API sync for deferred follow-up backlog items, and ECC-Tools #54 adds copy-ready PR drafts to that backlog when draft PR shells are not opened; `docs/architecture/progress-sync-contract.md` defines the local file-backed realtime boundary while issue capacity is blocked; May 18 live connector comments were posted to ITO-57 and the ECC platform project after project status updates returned disabled | Needs workspace capacity/config rollout for productized issue sync | | Observability for self-use | Local readiness gate, traces, status snapshots, HUD/status contract, risk ledger, progress-sync contract | `npm run observability:ready` reports 21/21 | Complete for local gate | | Proper release and notifications | Release tag, npm publish state, plugin state, social posts | Publication readiness gate exists with May 12 dry-run and May 13 readiness evidence | Not complete; approval/live URLs required | diff --git a/docs/releases/2.0.0-rc.1/preview-pack-manifest.md b/docs/releases/2.0.0-rc.1/preview-pack-manifest.md index ff88287e..6c9bf9ea 100644 --- a/docs/releases/2.0.0-rc.1/preview-pack-manifest.md +++ b/docs/releases/2.0.0-rc.1/preview-pack-manifest.md @@ -23,8 +23,10 @@ surfaces, or posting announcements. | `docs/releases/2.0.0-rc.1/publication-readiness.md` | Release gate | Requires fresh evidence from the exact release commit | | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-15.md` | Current May 15 queue, roadmap, security, supply-chain watch, no-lifecycle CI install hardening, AgentShield #86 evidence-pack provenance, ECC Tools billing-gate, Actions cache purge, and `ecc2` test evidence through PR #1941 | Must be superseded by a final clean-checkout evidence file before real publication | | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` | Current May 16/17 queue cleanup, recsys skill merge, GateGuard triage, PR #1947 supply-chain protection, AgentShield #87 plugin-cache confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 policy export, AgentShield #92 policy promotion, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, dashboard refresh, and combined Node/Rust/release-surface gate evidence through the May 16 mirror | Must still be repeated from a strict clean checkout before real publication | -| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | Current May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication | -| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open | +| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Superseded by the May 18 evidence snapshot; repeat from a strict clean checkout before real publication | +| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` | Current May 18 queue-zero state, #1970/#1971/#1972 merge batch, current-head Mini Shai-Hulud/TanStack protection recheck, no-lifecycle install, npm audit/signature checks, AgentShield project `.claude` scan, work-items sync, Linear sync, operator dashboard refresh, and Supply-Chain Watch success for `3b7e0ba3` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication | +| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Previous prompt-to-artifact operator dashboard | Superseded by the May 18 generated dashboard | +| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open | | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` | Naming, slug, and publication-path decision record | Keeps `Everything Claude Code / ECC`, npm `ecc-universal`, and plugin slug `ecc` for rc.1 | | `docs/releases/2.0.0-rc.1/x-thread.md` | X launch draft | Must replace placeholders with live URLs after release/package/plugin publication | | `docs/releases/2.0.0-rc.1/linkedin-post.md` | LinkedIn launch draft | Must replace placeholders with live URLs after release/package/plugin publication | diff --git a/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md new file mode 100644 index 00000000..251226ca --- /dev/null +++ b/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md @@ -0,0 +1,95 @@ +# ECC v2.0.0-rc.1 Publication Evidence - 2026-05-18 + +This is release-readiness evidence only. It does not create a GitHub release, +npm publication, plugin tag, marketplace submission, or announcement post. + +## Source Commit + +| Field | Evidence | +| --- | --- | +| Upstream main | `3b7e0ba30a027ffd3319c2f145c63076c296d80a` | +| Git remote | `https://github.com/affaan-m/everything-claude-code.git` | +| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, catalog/operator dashboard refresh, Mini Shai-Hulud/TanStack protection recheck, current-head Supply-Chain Watch, work-items sync, and Linear progress sync | +| Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/`; generated evidence files are committed after the source snapshot they describe | + +The actual release operator should repeat all publish-facing checks from the +final release commit with a strictly clean checkout before publishing. + +## Queue And Discussion State + +| Surface | Command | Result | +| --- | --- | --- | +| Trunk PRs | `gh pr list --limit 100 --json number,title,state,author,updatedAt,url` | 0 open PRs | +| Trunk issues | `gh issue list --limit 100 --json number,title,state,updatedAt,url,labels` | 0 open issues | +| Discussion audit | `npm run discussion:audit -- --json` | Ready; 58 sampled discussions in `affaan-m/everything-claude-code`, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors | +| Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files | +| Work-items sync | `node scripts/work-items.js sync-github --repo ` for five tracked repos; `node scripts/status.js --json`; `node scripts/work-items.js list --json` | All five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items | +| Operator dashboard | `npm run operator:dashboard -- --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `3b7e0ba30a027ffd3319c2f145c63076c296d80a`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated | + +Tracked repositories in the platform audit and work-items sync were: + +- `affaan-m/everything-claude-code` +- `affaan-m/agentshield` +- `affaan-m/JARVIS` +- `ECC-Tools/ECC-Tools` +- `ECC-Tools/ECC-website` + +## Merge And Triage Batch + +| Item | Result | +| --- | --- | +| PR #1970 | Merged workflow-security validator fixes for quoted `write-all` and `refs/pull/*` checkout bypasses; main includes `e06d0382` and `7bb31720` from that slice | +| PR #1971 | Merged metrics bridge cost-reporting fixes, full costs-file scan behavior, and persistent warning de-duplication across hook subprocesses; main includes commits through `9b1d8918` | +| PR #1972 | Merged `skills/uncloud/SKILL.md` with activation structure and uncloud command references; main includes `8b6aed0`, `2e5f30f`, and `caee7cf` | +| Catalog/operator refresh | Pushed `3b7e0ba3` to refresh generated catalog count and operator dashboard state after #1972 | +| Public queues | Rechecked after the merge batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos | + +## Supply-Chain And Security Evidence + +| Gate | Command | Result | +| --- | --- | --- | +| Repo IOC scan | `npm run security:ioc-scan` | Passed; 198 files inspected | +| Home persistence IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home --json` | Passed; 200 files inspected; `findings: []` | +| Narrow active persistence sweep | Targeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, `/tmp`, and `/private/tmp` campaign paths | Existing active targets: 2; no campaign marker hits | +| Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 18 passed, 0 failed | +| Advisory source refresh | `node scripts/ci/supply-chain-advisory-sources.js --refresh --json` | Ready with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK | +| No-lifecycle install | `npm ci --ignore-scripts` | Completed cleanly; 213 packages installed, 0 vulnerabilities | +| npm audit | `npm audit --audit-level=high` | 0 vulnerabilities | +| npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations | +| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files | +| AgentShield project scan | `npx --no-install ecc-agentshield scan --format json` | Grade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings | +| Current-head Supply-Chain Watch | `gh workflow run supply-chain-watch.yml --ref main`; `gh run watch 26009825837 --exit-status` | Completed successfully for `3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including no-lifecycle install, npm audit/signature verification, scanner fixtures, advisory source fixtures, IOC/advisory report generation, workflow-security validation, and artifact upload | + +## Linear Progress Sync + +| Surface | Evidence | +| --- | --- | +| ITO-57 issue comment | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972 merge evidence, supply-chain verification, current-head watch URL, deferred gates, and next slices | +| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, and remaining-gate state at the project level | +| Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface | + +## Current Publication Blockers + +- GitHub prerelease `v2.0.0-rc.1` is still not created in this pass. +- npm `ecc-universal@2.0.0-rc.1` is still not published to the `next` + dist-tag. +- Claude plugin tag and marketplace propagation remain approval-gated. +- Codex repo-marketplace distribution is verified for rc.1, but official + Plugin Directory publishing remains blocked on OpenAI's self-serve publishing + surface. +- ECC Tools billing/native-payments copy remains blocked until a Marketplace + purchase/webhook path writes production `account-billing:*` and + `billing-state:*` records, then `npm run billing:announcement-gate -- + --account ` returns an announcement-ready gate. +- Release notes, X, LinkedIn, GitHub release, and longform copy still need final + live URLs after release/package/plugin URLs exist. +- The local checkout still has unrelated untracked `docs/drafts/`, so a strict + clean-checkout release pass remains required before real publication. + +## Result + +The tracked public PR queue, issue queue, discussion queue, local work-items +bridge, and Mini Shai-Hulud/TanStack protection loop are current on +May 18, 2026 for `3b7e0ba3`. This improves publication readiness but does not +replace the approval-gated release, package, plugin, billing, and announcement +steps in `publication-readiness.md`. diff --git a/docs/releases/2.0.0-rc.1/publication-readiness.md b/docs/releases/2.0.0-rc.1/publication-readiness.md index 0e305e26..9e335563 100644 --- a/docs/releases/2.0.0-rc.1/publication-readiness.md +++ b/docs/releases/2.0.0-rc.1/publication-readiness.md @@ -35,11 +35,19 @@ Shai-Hulud/TanStack local protection recheck, legacy-tail and Linear progress routing, deterministic preview-pack smoke gate, and current operator dashboard refresh, see [`publication-evidence-2026-05-17.md`](publication-evidence-2026-05-17.md). +For the May 18 current-head queue, workflow-security/metrics/uncloud merge +batch, Mini Shai-Hulud/TanStack local and home protection recheck, npm +no-lifecycle install/audit/signature gates, AgentShield project scan, +work-items sync, Linear progress comments, operator dashboard refresh, and +current-head Supply-Chain Watch, see +[`publication-evidence-2026-05-18.md`](publication-evidence-2026-05-18.md). For the operator-facing prompt-to-artifact readiness dashboard from the same May 16 pass, see [`operator-readiness-dashboard-2026-05-15.md`](operator-readiness-dashboard-2026-05-15.md). For the May 17 operator dashboard refresh, see [`operator-readiness-dashboard-2026-05-17.md`](operator-readiness-dashboard-2026-05-17.md). +For the May 18 operator dashboard refresh, see +[`operator-readiness-dashboard-2026-05-18.md`](operator-readiness-dashboard-2026-05-18.md). ## Release Identity Matrix @@ -84,7 +92,7 @@ Record the exact commit SHA and command output before any publication action: | Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `publication-evidence-2026-05-16.md`: PASS, 11 adapters | | Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-17.md`: 21/21, ready yes | | Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | `publication-evidence-2026-05-13-post-hardening.md`: Release Safety 3/3 | -| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-17.md`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, supply-chain IOC scan clean | +| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, current-head Supply-Chain Watch passed | | Root suite | `node tests/run-all.js` | 0 failures | `publication-evidence-2026-05-17.md`: `npm test` passed 2487/2487, 0 failed | | Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | `publication-evidence-2026-05-17.md`: passed after ja-JP autonomous-loop anchor repair | | Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures; no Python bytecode in npm tarball | `2/2` passed in May 12 evidence pass | @@ -93,7 +101,7 @@ Record the exact commit SHA and command output before any publication action: | Queue baseline | `gh pr list` / `gh issue list` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `publication-evidence-2026-05-17.md`: platform audit ready, 0 open PRs and 0 open issues across checked repos | | Discussion baseline | `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `publication-evidence-2026-05-15.md`: 58 trunk discussions, 0 without maintainer touch; other tracked repos disabled or 0 | | Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | `publication-evidence-2026-05-15.md`: project and 16 issue lanes recorded | -| Operator readiness dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `publication-evidence-2026-05-17.md`: generated from `27dc2918`, platform ready true, dashboard ready true, 0 open PRs, 0 open issues, 0 discussion gaps | +| Operator readiness dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `publication-evidence-2026-05-18.md`: generated from `3b7e0ba3`, platform ready true, dashboard ready true, 0 open PRs, 0 open issues, 0 discussion gaps | ## Do Not Publish If diff --git a/scripts/operator-readiness-dashboard.js b/scripts/operator-readiness-dashboard.js index 715204d9..d872b002 100644 --- a/scripts/operator-readiness-dashboard.js +++ b/scripts/operator-readiness-dashboard.js @@ -372,7 +372,7 @@ function eccToolsNextLevelGap(roadmap) { function supplyChainLocalProtectionEvidence({ roadmap, scripts }) { if (scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js' && roadmap.includes('package-manager hardening Action outputs')) { - return 'scheduled supply-chain watch emits IOC/advisory-source refresh artifacts; ECC scanner covers gh-token-monitor token-store persistence; AgentShield now detects known AI-tool persistence IOCs, npm lifecycle/token drift, unsupported npm age-key drift, and pnpm/Yarn cooldown drift; ITO-57 has May 17 Linear evidence updates'; + return 'scheduled supply-chain watch emits IOC/advisory-source refresh artifacts; ECC scanner covers gh-token-monitor token-store persistence; AgentShield now detects known AI-tool persistence IOCs, npm lifecycle/token drift, unsupported npm age-key drift, and pnpm/Yarn cooldown drift; current-head watch evidence and ITO-57 May 18 Linear evidence updates are current'; } return scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js' @@ -390,10 +390,12 @@ function supplyChainLocalProtectionGap({ roadmap, scripts }) { } function hasCurrentLinearProgressSync({ roadmap, progressSync }) { - return includesAll(roadmap, [ - 'Linear live sync is current', - 'operator progress snapshot', - ]) && includesAll(progressSync, [ + const hasOperatorProgressSurface = roadmap.includes('operator progress snapshot') + || roadmap.includes('operator progress comment'); + + return roadmap.includes('Linear live sync is current') + && hasOperatorProgressSurface + && includesAll(progressSync, [ 'node scripts/work-items.js sync-github --repo ', 'node scripts/status.js --json', 'Linear remains the external status surface',