Refresh operator dashboard readiness markers

scripts/operator-readiness-dashboard.js

@@ -264,10 +264,17 @@ function hasAgentShieldEnterpriseTracking(roadmap) {
       || roadmap.includes('AgentShield #91')
       || roadmap.includes('checksum-backed policy export')
       || roadmap.includes('#78-#90')
+      || roadmap.includes('hosted promotion judge audit traces')
+      || roadmap.includes('operator-visible promotion output values')
     );
 }
 
 function agentShieldEnterpriseGap(roadmap) {
+  if (roadmap.includes('hosted promotion judge audit traces')
+    || roadmap.includes('operator-visible promotion output values')) {
+    return 'deepen live operator approval/readback after Marketplace/payment gates';
+  }
+
   if (roadmap.includes('#78-#92')
     || roadmap.includes('AgentShield PR #92')
     || roadmap.includes('AgentShield #92')
@@ -284,6 +291,63 @@ function agentShieldEnterpriseGap(roadmap) {
     : 'durable policy export and fleet-review workflow automation remain pending after reviewItems shipped';
 }
 
+function agentShieldEnterpriseEvidence(roadmap) {
+  if (roadmap.includes('hosted promotion judge audit traces')
+    || roadmap.includes('operator-visible promotion output values')) {
+    return 'AgentShield policy promotion `reviewItems` landed in `87aec47`; package-manager hardening drift detection landed in `28d08c7`; workflow action runtime pins were refreshed in `659f569`; npm age-gate guidance was corrected in `ee585cd`; package-manager hardening Action outputs landed in `1124535`; policy-promotion Action outputs and runtime-smoke job-summary evidence landed in `1593925`; ECC-Tools consumes those outputs in `8658951`, surfaces operator-readable status/pack/count/digest telemetry in `16c537f`, and renders hosted promotion judge audit traces in `05d4e82`; all are mirrored in the GA roadmap';
+  }
+
+  return 'AgentShield enterprise PR evidence is mirrored in the GA roadmap';
+}
+
+function eccToolsNextLevelEvidence(roadmap) {
+  if (roadmap.includes('production Marketplace readback state')
+    || roadmap.includes('eb69412')) {
+    return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, and production KV readback state are mirrored in the GA roadmap';
+  }
+
+  if (roadmap.includes('hosted promotion judge audit traces')
+    || roadmap.includes('operator-visible promotion output values')) {
+    return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, and hosted promotion judge audit traces are mirrored in the GA roadmap';
+  }
+
+  return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, and harness-route policy linking are mirrored in the GA roadmap';
+}
+
+function eccToolsNextLevelGap(roadmap) {
+  if (roadmap.includes('production Marketplace readback state')
+    || roadmap.includes('eb69412')) {
+    return 'complete Marketplace purchase/webhook readback, then run the live announcement gate';
+  }
+
+  if (roadmap.includes('hosted promotion judge audit traces')
+    || roadmap.includes('operator-visible promotion output values')) {
+    return 'live Marketplace test-account readback pending';
+  }
+
+  return 'live Marketplace test-account readback, hosted promotion telemetry, and richer operator review UX pending';
+}
+
+function supplyChainLocalProtectionEvidence({ roadmap, scripts }) {
+  if (scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js'
+    && roadmap.includes('package-manager hardening Action outputs')) {
+    return 'scheduled supply-chain watch emits IOC/advisory-source refresh artifacts; AgentShield now detects known AI-tool persistence IOCs, npm lifecycle/token drift, unsupported npm age-key drift, and pnpm/Yarn cooldown drift; ITO-57 has May 17 Linear evidence updates';
+  }
+
+  return scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js'
+    ? 'scheduled supply-chain watch now emits IOC and advisory-source refresh artifacts'
+    : 'scheduled supply-chain watch or advisory-source command is missing';
+}
+
+function supplyChainLocalProtectionGap({ roadmap, scripts }) {
+  if (scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js'
+    && roadmap.includes('package-manager hardening Action outputs')) {
+    return 'repeat advisory/source refresh and Linear sync after each significant supply-chain batch';
+  }
+
+  return 'Linear status synchronization remains ITO-57 follow-up after each significant merge batch';
+}
+
 function runCommand(command, args, options = {}) {
   const result = spawnSync(command, args, {
     cwd: options.cwd,
@@ -437,7 +501,7 @@ function buildRequirements(rootDir, platformReport) {
       hasAgentShieldEnterpriseTracking(roadmap)
         ? 'in_progress'
         : 'not_complete',
-      'AgentShield enterprise PR evidence is mirrored in the GA roadmap',
+      agentShieldEnterpriseEvidence(roadmap),
       agentShieldEnterpriseGap(roadmap)
     ),
     buildRequirement(
@@ -447,8 +511,8 @@ function buildRequirements(rootDir, platformReport) {
       includesAll(roadmap, ['ECC-Tools PR #78', 'hosted promotion', 'announcementGate'])
         ? 'in_progress'
         : 'not_complete',
-      'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, and harness-route policy linking are mirrored in the GA roadmap',
-      'live Marketplace test-account readback, hosted promotion telemetry, and richer operator review UX pending'
+      eccToolsNextLevelEvidence(roadmap),
+      eccToolsNextLevelGap(roadmap)
     ),
     buildRequirement(
       'legacy-salvage',
@@ -486,17 +550,15 @@ function buildRequirements(rootDir, platformReport) {
     buildRequirement(
       'supply-chain-local-protection',
       'Keep Mini Shai-Hulud/TanStack protection loop current',
-      'supply-chain watch plus runbook',
+      'supply-chain watch plus runbook plus AgentShield package-manager hardening',
       includesAll(supplyChainRunbook, ['TanStack', 'Mini Shai-Hulud', 'scan-supply-chain-iocs.js', 'supply-chain-advisory-sources.js'])
         && includesAll(supplyChainWorkflow, ['supply-chain-advisory-sources.js', 'supply-chain-advisory-sources.json'])
         && scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js'
         && fileExists(rootDir, '.github/workflows/supply-chain-watch.yml')
         ? 'current'
         : 'in_progress',
-      scripts['security:advisory-sources'] === 'node scripts/ci/supply-chain-advisory-sources.js'
-        ? 'scheduled supply-chain watch now emits IOC and advisory-source refresh artifacts'
-        : 'scheduled supply-chain watch or advisory-source command is missing',
-      'Linear status synchronization remains ITO-57 follow-up after each significant merge batch'
+      supplyChainLocalProtectionEvidence({ roadmap, scripts }),
+      supplyChainLocalProtectionGap({ roadmap, scripts })
     ),
   ];
 }
@@ -550,7 +612,7 @@ function buildReport(options) {
     next_work_order: [
       'Regenerate this dashboard from the final release commit before publication evidence is recorded.',
       'Continue ITO-57 with Linear status synchronization for the scheduled supply-chain watch advisory-source report.',
-      'Advance ECC Tools live Marketplace test-account readback before publishing native-payments announcement copy.',
+      'Complete ECC Tools Marketplace purchase/webhook readback, then run preflight and the live announcement gate before publishing native-payments copy.',
       'Resume ITO-45, ITO-46, and ITO-56 only after the generated dashboard and final release gates are refreshed.',
     ],
   };

tests/scripts/operator-readiness-dashboard.test.js

@@ -51,6 +51,11 @@ function seedRepo(rootDir, overrides = {}) {
       'AgentShield Enterprise Iteration',
       'ECC-Tools PR #78',
       'hosted promotion',
+      'operator-visible promotion output values',
+      'hosted promotion judge audit traces',
+      'package-manager hardening Action outputs',
+      'production Marketplace readback state',
+      'eb69412',
       'announcementGate',
       'ITO-55'
     ].join('\n'),
@@ -190,7 +195,24 @@ function runTests() {
       assert.ok(report.requirements.some(item => item.id === 'ecc-tools-next-level' && item.status === 'in_progress'));
       assert.ok(report.requirements.some(item => (
         item.id === 'agentshield-enterprise-iteration'
-          && item.gap === 'workflow automation around protected rollout and richer runtime review UX pending after policy promotion shipped'
+          && item.gap === 'deepen live operator approval/readback after Marketplace/payment gates'
+          && item.evidence.includes('policy-promotion Action outputs')
+          && item.evidence.includes('hosted promotion judge audit traces')
+      )));
+      assert.ok(report.requirements.some(item => (
+        item.id === 'ecc-tools-next-level'
+          && item.gap === 'complete Marketplace purchase/webhook readback, then run the live announcement gate'
+          && item.evidence.includes('operator-visible promotion output details')
+          && item.evidence.includes('hosted promotion judge audit traces')
+          && item.evidence.includes('billing announcement preflight')
+          && item.evidence.includes('production KV readback state')
+      )));
+      assert.ok(report.requirements.some(item => (
+        item.id === 'supply-chain-local-protection'
+          && item.artifact.includes('AgentShield package-manager hardening')
+          && item.evidence.includes('known AI-tool persistence IOCs')
+          && item.evidence.includes('unsupported npm age-key drift')
+          && item.gap === 'repeat advisory/source refresh and Linear sync after each significant supply-chain batch'
       )));
       assert.ok(report.top_actions.some(item => item.id === 'naming-and-plugin-publication'));
     } finally {
@@ -216,6 +238,10 @@ function runTests() {
         marker: 'checksum-verified policy promotion',
         gap: 'workflow automation around protected rollout and richer runtime review UX pending after policy promotion shipped'
       },
+      {
+        marker: 'hosted promotion judge audit traces',
+        gap: 'deepen live operator approval/readback after Marketplace/payment gates'
+      },
       {
         marker: '#78-#91',
         gap: 'workflow automation plus policy promotion/review UX pending after policy export shipped'