docs: add May 18 readiness evidence

docs/releases/2.0.0-rc.1/preview-pack-manifest.md

@@ -23,8 +23,10 @@ surfaces, or posting announcements.
 | `docs/releases/2.0.0-rc.1/publication-readiness.md` | Release gate | Requires fresh evidence from the exact release commit |
 | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-15.md` | Current May 15 queue, roadmap, security, supply-chain watch, no-lifecycle CI install hardening, AgentShield #86 evidence-pack provenance, ECC Tools billing-gate, Actions cache purge, and `ecc2` test evidence through PR #1941 | Must be superseded by a final clean-checkout evidence file before real publication |
 | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` | Current May 16/17 queue cleanup, recsys skill merge, GateGuard triage, PR #1947 supply-chain protection, AgentShield #87 plugin-cache confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 policy export, AgentShield #92 policy promotion, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, dashboard refresh, and combined Node/Rust/release-surface gate evidence through the May 16 mirror | Must still be repeated from a strict clean checkout before real publication |
-| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | Current May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication |
-| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open |
+| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Superseded by the May 18 evidence snapshot; repeat from a strict clean checkout before real publication |
+| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` | Current May 18 queue-zero state, #1970/#1971/#1972 merge batch, current-head Mini Shai-Hulud/TanStack protection recheck, no-lifecycle install, npm audit/signature checks, AgentShield project `.claude` scan, work-items sync, Linear sync, operator dashboard refresh, and Supply-Chain Watch success for `3b7e0ba3` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication |
+| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Previous prompt-to-artifact operator dashboard | Superseded by the May 18 generated dashboard |
+| `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open |
 | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` | Naming, slug, and publication-path decision record | Keeps `Everything Claude Code / ECC`, npm `ecc-universal`, and plugin slug `ecc` for rc.1 |
 | `docs/releases/2.0.0-rc.1/x-thread.md` | X launch draft | Must replace placeholders with live URLs after release/package/plugin publication |
 | `docs/releases/2.0.0-rc.1/linkedin-post.md` | LinkedIn launch draft | Must replace placeholders with live URLs after release/package/plugin publication |

docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md

@@ -0,0 +1,95 @@
+# ECC v2.0.0-rc.1 Publication Evidence - 2026-05-18
+
+This is release-readiness evidence only. It does not create a GitHub release,
+npm publication, plugin tag, marketplace submission, or announcement post.
+
+## Source Commit
+
+| Field | Evidence |
+| --- | --- |
+| Upstream main | `3b7e0ba30a027ffd3319c2f145c63076c296d80a` |
+| Git remote | `https://github.com/affaan-m/everything-claude-code.git` |
+| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, catalog/operator dashboard refresh, Mini Shai-Hulud/TanStack protection recheck, current-head Supply-Chain Watch, work-items sync, and Linear progress sync |
+| Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/`; generated evidence files are committed after the source snapshot they describe |
+
+The actual release operator should repeat all publish-facing checks from the
+final release commit with a strictly clean checkout before publishing.
+
+## Queue And Discussion State
+
+| Surface | Command | Result |
+| --- | --- | --- |
+| Trunk PRs | `gh pr list --limit 100 --json number,title,state,author,updatedAt,url` | 0 open PRs |
+| Trunk issues | `gh issue list --limit 100 --json number,title,state,updatedAt,url,labels` | 0 open issues |
+| Discussion audit | `npm run discussion:audit -- --json` | Ready; 58 sampled discussions in `affaan-m/everything-claude-code`, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors |
+| Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files |
+| Work-items sync | `node scripts/work-items.js sync-github --repo <tracked-repo>` for five tracked repos; `node scripts/status.js --json`; `node scripts/work-items.js list --json` | All five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items |
+| Operator dashboard | `npm run operator:dashboard -- --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `3b7e0ba30a027ffd3319c2f145c63076c296d80a`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated |
+
+Tracked repositories in the platform audit and work-items sync were:
+
+- `affaan-m/everything-claude-code`
+- `affaan-m/agentshield`
+- `affaan-m/JARVIS`
+- `ECC-Tools/ECC-Tools`
+- `ECC-Tools/ECC-website`
+
+## Merge And Triage Batch
+
+| Item | Result |
+| --- | --- |
+| PR #1970 | Merged workflow-security validator fixes for quoted `write-all` and `refs/pull/*` checkout bypasses; main includes `e06d0382` and `7bb31720` from that slice |
+| PR #1971 | Merged metrics bridge cost-reporting fixes, full costs-file scan behavior, and persistent warning de-duplication across hook subprocesses; main includes commits through `9b1d8918` |
+| PR #1972 | Merged `skills/uncloud/SKILL.md` with activation structure and uncloud command references; main includes `8b6aed0`, `2e5f30f`, and `caee7cf` |
+| Catalog/operator refresh | Pushed `3b7e0ba3` to refresh generated catalog count and operator dashboard state after #1972 |
+| Public queues | Rechecked after the merge batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos |
+
+## Supply-Chain And Security Evidence
+
+| Gate | Command | Result |
+| --- | --- | --- |
+| Repo IOC scan | `npm run security:ioc-scan` | Passed; 198 files inspected |
+| Home persistence IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home --json` | Passed; 200 files inspected; `findings: []` |
+| Narrow active persistence sweep | Targeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, `/tmp`, and `/private/tmp` campaign paths | Existing active targets: 2; no campaign marker hits |
+| Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 18 passed, 0 failed |
+| Advisory source refresh | `node scripts/ci/supply-chain-advisory-sources.js --refresh --json` | Ready with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK |
+| No-lifecycle install | `npm ci --ignore-scripts` | Completed cleanly; 213 packages installed, 0 vulnerabilities |
+| npm audit | `npm audit --audit-level=high` | 0 vulnerabilities |
+| npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations |
+| Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files |
+| AgentShield project scan | `npx --no-install ecc-agentshield scan --format json` | Grade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings |
+| Current-head Supply-Chain Watch | `gh workflow run supply-chain-watch.yml --ref main`; `gh run watch 26009825837 --exit-status` | Completed successfully for `3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including no-lifecycle install, npm audit/signature verification, scanner fixtures, advisory source fixtures, IOC/advisory report generation, workflow-security validation, and artifact upload |
+
+## Linear Progress Sync
+
+| Surface | Evidence |
+| --- | --- |
+| ITO-57 issue comment | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972 merge evidence, supply-chain verification, current-head watch URL, deferred gates, and next slices |
+| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, and remaining-gate state at the project level |
+| Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface |
+
+## Current Publication Blockers
+
+- GitHub prerelease `v2.0.0-rc.1` is still not created in this pass.
+- npm `ecc-universal@2.0.0-rc.1` is still not published to the `next`
+  dist-tag.
+- Claude plugin tag and marketplace propagation remain approval-gated.
+- Codex repo-marketplace distribution is verified for rc.1, but official
+  Plugin Directory publishing remains blocked on OpenAI's self-serve publishing
+  surface.
+- ECC Tools billing/native-payments copy remains blocked until a Marketplace
+  purchase/webhook path writes production `account-billing:*` and
+  `billing-state:*` records, then `npm run billing:announcement-gate --
+  --account <github-login>` returns an announcement-ready gate.
+- Release notes, X, LinkedIn, GitHub release, and longform copy still need final
+  live URLs after release/package/plugin URLs exist.
+- The local checkout still has unrelated untracked `docs/drafts/`, so a strict
+  clean-checkout release pass remains required before real publication.
+
+## Result
+
+The tracked public PR queue, issue queue, discussion queue, local work-items
+bridge, and Mini Shai-Hulud/TanStack protection loop are current on
+May 18, 2026 for `3b7e0ba3`. This improves publication readiness but does not
+replace the approval-gated release, package, plugin, billing, and announcement
+steps in `publication-readiness.md`.

docs/releases/2.0.0-rc.1/publication-readiness.md

@@ -35,11 +35,19 @@ Shai-Hulud/TanStack local protection recheck, legacy-tail and Linear progress
 routing, deterministic preview-pack smoke gate, and current operator dashboard
 refresh, see
 [`publication-evidence-2026-05-17.md`](publication-evidence-2026-05-17.md).
+For the May 18 current-head queue, workflow-security/metrics/uncloud merge
+batch, Mini Shai-Hulud/TanStack local and home protection recheck, npm
+no-lifecycle install/audit/signature gates, AgentShield project scan,
+work-items sync, Linear progress comments, operator dashboard refresh, and
+current-head Supply-Chain Watch, see
+[`publication-evidence-2026-05-18.md`](publication-evidence-2026-05-18.md).
 For the operator-facing prompt-to-artifact readiness dashboard from the same
 May 16 pass, see
 [`operator-readiness-dashboard-2026-05-15.md`](operator-readiness-dashboard-2026-05-15.md).
 For the May 17 operator dashboard refresh, see
 [`operator-readiness-dashboard-2026-05-17.md`](operator-readiness-dashboard-2026-05-17.md).
+For the May 18 operator dashboard refresh, see
+[`operator-readiness-dashboard-2026-05-18.md`](operator-readiness-dashboard-2026-05-18.md).
 
 ## Release Identity Matrix
 
@@ -84,7 +92,7 @@ Record the exact commit SHA and command output before any publication action:
 | Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `publication-evidence-2026-05-16.md`: PASS, 11 adapters |
 | Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-17.md`: 21/21, ready yes |
 | Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | `publication-evidence-2026-05-13-post-hardening.md`: Release Safety 3/3 |
-| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-17.md`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, supply-chain IOC scan clean |
+| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, current-head Supply-Chain Watch passed |
 | Root suite | `node tests/run-all.js` | 0 failures | `publication-evidence-2026-05-17.md`: `npm test` passed 2487/2487, 0 failed |
 | Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | `publication-evidence-2026-05-17.md`: passed after ja-JP autonomous-loop anchor repair |
 | Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures; no Python bytecode in npm tarball | `2/2` passed in May 12 evidence pass |
@@ -93,7 +101,7 @@ Record the exact commit SHA and command output before any publication action:
 | Queue baseline | `gh pr list` / `gh issue list` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `publication-evidence-2026-05-17.md`: platform audit ready, 0 open PRs and 0 open issues across checked repos |
 | Discussion baseline | `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `publication-evidence-2026-05-15.md`: 58 trunk discussions, 0 without maintainer touch; other tracked repos disabled or 0 |
 | Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | `publication-evidence-2026-05-15.md`: project and 16 issue lanes recorded |
-| Operator readiness dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `publication-evidence-2026-05-17.md`: generated from `27dc2918`, platform ready true, dashboard ready true, 0 open PRs, 0 open issues, 0 discussion gaps |
+| Operator readiness dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `publication-evidence-2026-05-18.md`: generated from `3b7e0ba3`, platform ready true, dashboard ready true, 0 open PRs, 0 open issues, 0 discussion gaps |
 
 ## Do Not Publish If