docs: refresh publication readiness gate

Adds the Blender motion state inspection skill with maintainer refinements for tools metadata, usage guidance, meter-scale threshold assumptions, and Blender interpreter notes.

.claude-plugin/marketplace.json

@@ -11,7 +11,7 @@
     {
       "name": "ecc",
       "source": "./",
-      "description": "The most comprehensive Claude Code plugin — 60 agents, 231 skills, 75 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning",
+      "description": "The most comprehensive Claude Code plugin — 60 agents, 232 skills, 75 legacy command shims, selective install profiles, and production-ready hooks for TDD, security scanning, code review, and continuous learning",
       "version": "2.0.0-rc.1",
       "author": {
         "name": "Affaan Mustafa",

.claude-plugin/plugin.json

@@ -1,7 +1,7 @@
 {
   "name": "ecc",
   "version": "2.0.0-rc.1",
-  "description": "Battle-tested Claude Code plugin for engineering teams — 60 agents, 231 skills, 75 legacy command shims, production-ready hooks, and selective install workflows evolved through continuous real-world use",
+  "description": "Battle-tested Claude Code plugin for engineering teams — 60 agents, 232 skills, 75 legacy command shims, production-ready hooks, and selective install workflows evolved through continuous real-world use",
   "author": {
     "name": "Affaan Mustafa",
     "url": "https://x.com/affaanmustafa"

AGENTS.md

@@ -1,6 +1,6 @@
 # Everything Claude Code (ECC) — Agent Instructions
 
-This is a **production-ready AI coding plugin** providing 60 specialized agents, 231 skills, 75 commands, and automated hook workflows for software development.
+This is a **production-ready AI coding plugin** providing 60 specialized agents, 232 skills, 75 commands, and automated hook workflows for software development.
 
 **Version:** 2.0.0-rc.1
 
@@ -150,7 +150,7 @@ Troubleshoot failures: check test isolation → verify mocks → fix implementat
 
 ```
 agents/          — 60 specialized subagents
-skills/          — 231 workflow skills and domain knowledge
+skills/          — 232 workflow skills and domain knowledge
 commands/        — 75 slash commands
 hooks/           — Trigger-based automations
 rules/           — Always-follow guidelines (common + per-language)

README.md

@@ -123,7 +123,7 @@ This repo is the raw code only. The guides explain everything.
 ### v2.0.0-rc.1 — Surface Refresh, Operator Workflows, and ECC 2.0 Alpha (Apr 2026)
 
 - **Dashboard GUI** — New Tkinter-based desktop application (`ecc_dashboard.py` or `npm run dashboard`) with dark/light theme toggle, font customization, and project logo in header and taskbar.
-- **Public surface synced to the live repo** — metadata, catalog counts, plugin manifests, and install-facing docs now match the actual OSS surface: 60 agents, 231 skills, and 75 legacy command shims.
+- **Public surface synced to the live repo** — metadata, catalog counts, plugin manifests, and install-facing docs now match the actual OSS surface: 60 agents, 232 skills, and 75 legacy command shims.
 - **Operator and outbound workflow expansion** — `brand-voice`, `social-graph-ranker`, `connections-optimizer`, `customer-billing-ops`, `ecc-tools-cost-audit`, `google-workspace-ops`, `project-flow-ops`, and `workspace-surface-audit` round out the operator lane.
 - **Media and launch tooling** — `manim-video`, `remotion-video-creation`, and upgraded social publishing surfaces make technical explainers and launch content part of the same system.
 - **Framework and product surface growth** — `nestjs-patterns`, richer Codex/OpenCode install surfaces, and expanded cross-harness packaging keep the repo usable beyond Claude Code alone.
@@ -392,7 +392,7 @@ If you stacked methods, clean up in this order:
 /plugin list ecc@ecc
 ```
 
-**That's it!** You now have access to 60 agents, 231 skills, and 75 legacy command shims.
+**That's it!** You now have access to 60 agents, 232 skills, and 75 legacy command shims.
 
 ### Dashboard GUI
 
@@ -1423,7 +1423,7 @@ The configuration is automatically detected from `.opencode/opencode.json`.
 |---------|-------------|----------|--------|
 | Agents | PASS: 60 agents | PASS: 12 agents | **Claude Code leads** |
 | Commands | PASS: 75 commands | PASS: 35 commands | **Claude Code leads** |
-| Skills | PASS: 231 skills | PASS: 37 skills | **Claude Code leads** |
+| Skills | PASS: 232 skills | PASS: 37 skills | **Claude Code leads** |
 | Hooks | PASS: 8 event types | PASS: 11 events | **OpenCode has more!** |
 | Rules | PASS: 29 rules | PASS: 13 instructions | **Claude Code leads** |
 | MCP Servers | PASS: 14 servers | PASS: Full | **Full parity** |
@@ -1585,7 +1585,7 @@ ECC is the **first plugin to maximize every major AI coding tool**. Here's how e
 |---------|------------|------------|-----------|----------|----------------|
 | **Agents** | 60 | Shared (AGENTS.md) | Shared (AGENTS.md) | 12 | N/A |
 | **Commands** | 75 | Shared | Instruction-based | 35 | 6 prompts |
-| **Skills** | 231 | Shared | 10 (native format) | 37 | Via instructions |
+| **Skills** | 232 | Shared | 10 (native format) | 37 | Via instructions |
 | **Hook Events** | 8 types | 15 types | None yet | 11 types | None |
 | **Hook Scripts** | 20+ scripts | 16 scripts (DRY adapter) | N/A | Plugin hooks | N/A |
 | **Rules** | 34 (common + lang) | 34 (YAML frontmatter) | Instruction-based | 13 instructions | 1 always-on file |

README.zh-CN.md

@@ -160,7 +160,7 @@ Copy-Item -Recurse rules/typescript "$HOME/.claude/rules/"
 /plugin list ecc@ecc
 ```
 
-**完成！** 你现在可以使用 60 个代理、231 个技能和 75 个命令。
+**完成！** 你现在可以使用 60 个代理、232 个技能和 75 个命令。
 
 ### multi-* 命令需要额外配置
 

docs/ECC-2.0-GA-ROADMAP.md

@@ -24,6 +24,14 @@ As of 2026-05-18:
   local `docs/drafts/` directory. The May 18 sync also refreshed
   `scripts/work-items.js sync-github` across all five tracked repos, leaving
   no open or blocked local work items.
+- Owner-wide queue cleanup is also inside the requested budget:
+  `docs/releases/2.0.0-rc.1/owner-queue-cleanup-2026-05-18.md` records the
+  live `gh search` sweep that closed 24 stale dependency-bot PRs and 72 stale
+  legacy payments/0EM roadmap issues, then closed the 9 remaining stale,
+  generated, conflicting, or test/noise PRs and the 5 remaining legacy,
+  outreach, or placeholder issues. The broader `affaan-m` owner namespace is
+  now at 0 open PRs and 0 open issues by live `gh search`. Archived repos
+  touched during closure were restored to archived state.
 - GitHub discussions are current across those tracked repos:
   `affaan-m/everything-claude-code` has 58 total discussions and 0 without
   maintainer touch after May 15 maintainer updates on #73 and #1239; AgentShield,
@@ -41,13 +49,18 @@ As of 2026-05-18:
   comment is the supported external status surface.
 - The latest May 18 merge batch on `main` includes PR #1970 workflow-security
   validator bypass fixes, PR #1971 metrics bridge cost-reporting and warning
-  de-dup fixes, PR #1972 `uncloud` skill activation structure, and
+  de-dup fixes, PR #1972 `uncloud` skill activation structure, PR #1976
-  `3b7e0ba3` catalog/operator dashboard refresh.
+  OpenAI/AstraFlow provider response guards, ECC-Tools Wrangler OAuth billing
+  readback mirror evidence, the `04d4d819` defensive-deny IOC scanner hardening
+  recheck, and release evidence with a refreshed operator dashboard.
 - `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` records the
   May 18 queue-zero state, current-head TanStack/Mini Shai-Hulud protection
   recheck, no-lifecycle npm install, npm audit/signature checks, AgentShield
   project `.claude` scan, Linear sync, work-items sync, operator dashboard
-  refresh, and current-head Supply-Chain Watch success for `3b7e0ba3`.
+  refresh, PR #1976 provider-guard validation, ECC-Tools Wrangler OAuth billing
+  readback evidence, defensive-deny IOC scanner coverage, and current-head CI
+  success for `04d4d819`; a detached clean-worktree preview-pack smoke from
+  `742bc58d` passed 5/5 with digest `59bbf2630a44`.
 - `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md`
   regenerates the ITO-44 prompt-to-artifact dashboard from live platform audit
   evidence: PR queue, issue queue, discussion queue, local worktree gate,
@@ -76,8 +89,8 @@ As of 2026-05-18:
 - `npm run harness:audit -- --format json` reports 70/70 on current `main`.
 - `npm run observability:ready` reports 21/21 readiness on current `main`,
   including the GitHub/Linear/handoff/roadmap progress-sync contract.
-- GitHub CI run `26009328404` completed successfully for
+- GitHub CI run `26017368895` completed successfully for
-  `3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including Validate Components,
+  `04d4d81938b20ac2bac1f0025145ab77d6a59f5f`, including Validate Components,
   Coverage, Lint, Security Scan, and the full Node/package-manager matrix.
 - Supply-Chain Watch run `26009825837` completed successfully for
   `3b7e0ba30a027ffd3319c2f145c63076c296d80a`, including no-lifecycle install,
@@ -282,18 +295,47 @@ As of 2026-05-18:
   pass the announcement gate yet.
 - ECC-Tools commit `95d0bec69dbcf364ed084e983a40d0a94d443d16`
   adds repeatable aggregate production KV readback with
-  `npm run billing:kv-readback`: the latest run found 252
+  `npm run billing:kv-readback`: the latest API-authenticated run found 253
-  `account-billing:*` records and 252 `billing-state:*` records, but 0
+  `account-billing:*` records and 253 `billing-state:*` records, but 0
   Marketplace-managed Pro `billing-state:*` records, so native-payments copy
   remains blocked until `--require-ready` and the official internal
   announcement gate pass.
 - ECC-Tools commit `285967807ea7b5eb3146bc984fb2229db67d4290`
   requires GitHub Marketplace webhook provenance on Pro billing-state records
   before native-payments announcement readiness can pass. The CI run
-  `26013559229` succeeded for the pushed head, but live readback is still
+  `26013559229` succeeded for the pushed head.
-  blocked until the Cloudflare credential in the vault is replaced with a
+- ECC-Tools commit `42653f9140c232961280d961ed76a6142433cfa1`
-  valid token or key/email pair and a real Marketplace-managed Pro webhook
+  adds `npm run billing:kv-readback -- --wrangler` so operators can run the
-  creates billing-state provenance.
+  aggregate production KV readback through an authenticated Wrangler OAuth
+  session instead of requiring a separate Cloudflare API token/global key. CI
+  run `26016223013` succeeded, and the latest live readback found 253
+  `account-billing:*` records and 253 `billing-state:*` records with 194
+  marketplace/free states, 59 Stripe/pro states, 0 Marketplace Pro states, 0
+  ready-like Marketplace Pro states, and 0 parse failures. Native-payments
+  copy remains blocked until a real Marketplace-managed Pro webhook creates
+  billing-state provenance and `--require-ready` plus the official internal
+  announcement gate pass.
+- ECC-Tools commit `632e059e51b6e1297ba118807c8b5b2adbac74ce`
+  adds target account billing readback with `npm run billing:kv-readback -- --account <github-login> --require-ready`.
+  The report redacts the account login and raw KV keys, emits only a stable
+  fingerprint plus sanitized readiness booleans, and now requires both
+  `account-billing:<login>` and `billing-state:<login>` before a target
+  Marketplace Pro test account can pass the native-payments announcement
+  readback gate. CI run `26018941515` succeeded. The 2026-05-18 live recheck
+  split out Linear ITO-61 for the target-account blocker.
+- ECC-Tools commit `d5f60db` adds sanitized Marketplace-source provenance
+  counts to `npm run billing:kv-readback`, including
+  `marketplaceSourceRecords`, `marketplaceSourceWithWebhookEvidence`,
+  `marketplaceSourceWithoutWebhookEvidence`, `byMarketplacePlanName`, and
+  `byMarketplaceEventAction`. The 2026-05-18 live Wrangler OAuth readback
+  found 254 account-billing records, 254 billing-state records, 195
+  Marketplace-source records, 59 Stripe-source records, 53 Pro records, 0
+  Marketplace Pro records, 2 Marketplace webhook-provenance records, both
+  `Open Source` purchases, and 193 Marketplace-source records without webhook
+  provenance. Native-payments copy remains blocked by Linear ITO-61 until a
+  real Marketplace-managed Pro webhook creates target account provenance and
+  `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`
+  plus the official internal announcement gate pass.
 - Handoff `ecc-supply-chain-audit-20260513-0645.md` under
   `~/.cluster-swarm/handoffs/`
   records the May 13 supply-chain sweep: no active lockfile/manifest hit for
@@ -650,21 +692,21 @@ is not complete unless the evidence column exists and has been freshly verified.
 
 | Prompt requirement | Required artifact or gate | Current evidence | Status |
 | --- | --- | --- | --- |
-| Keep public PRs below 20 | Repo-family PR recheck | 0 open PRs across `everything-claude-code`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-17 after merging ECC #1961, #1963, and #1953 and closing/skipping incompatible #1962 | Complete |
+| Keep public PRs below 20 | Repo-family PR recheck | 0 open PRs across `everything-claude-code`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-18 after merging PR #1976 and refreshing platform audit evidence | Complete |
-| Keep public issues below 20 | Repo-family issue recheck | 0 open issues across `everything-claude-code`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-17; #1951 closed with #1953 | Complete |
+| Keep public issues below 20 | Repo-family issue recheck | 0 open issues across `everything-claude-code`, AgentShield, JARVIS, `ECC-Tools/ECC-Tools`, and `ECC-Tools/ECC-website` on 2026-05-18 after the live platform audit refresh | Complete |
 | Manage repository discussions | Repo-family discussion recheck | Platform audit reports 0 discussion maintainer-touch gaps and 0 answerable Q&A missing accepted answers; trunk still has 58 total discussions | Complete |
-| Manage PR discussions | PR review/comment closure plus merge/close state | ECC #1961, #1963, and #1953 merged after maintainer validation; no open tracked PRs remain | Complete |
+| Manage PR discussions | PR review/comment closure plus merge/close state | ECC #1976 merged after maintainer follow-up validation; no open tracked PRs remain | Complete |
 | Salvage useful stale work | `docs/stale-pr-salvage-ledger.md` plus `docs/legacy-artifact-inventory.md` | Ledger records salvaged, superseded, skipped, and manual-review tails; #1815-#1818 added cost tracking, skill scout, frontend design guidance, code-reviewer false-positive guardrails, and the May 12 gap pass; #1687, #1609, #1563, #1564, and #1565 localization tails are attached to Linear ITO-55 for language-owner review and no automatic import remains release-blocking | Complete; repeat legacy scan before release |
-| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 18 evidence records queue-zero state, #1970/#1971/#1972 merge batch, supply-chain recheck, npm no-lifecycle install/audit/signature gates, Linear sync, operator dashboard, and successful current-head Supply-Chain Watch on `3b7e0ba3` | Needs final clean-checkout release approval |
+| ECC 2.0 preview pack ready | Release docs, quickstart, publication readiness, release notes | `docs/releases/2.0.0-rc.1/` and readiness docs are in-tree; May 18 evidence records queue-zero state, #1970/#1971/#1972/#1976 merge batch, supply-chain recheck, defensive-deny IOC scanner hardening, npm no-lifecycle install/audit/signature gates, Linear sync, refreshed operator dashboard, provider-guard validation, ECC-Tools Wrangler OAuth billing readback evidence, successful current-head CI on `04d4d819`, and detached clean-worktree preview-pack smoke digest `59bbf2630a44` | Needs final release approval |
 | Hermes specialized skills included safely | Hermes setup/import docs and sanitized skill surface | Hermes setup and import playbook are public; secrets stay local | Needs final release review |
 | Naming and rename readiness | Naming matrix across package/plugin/docs/social surfaces | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` records current package, repo, Claude plugin, Codex plugin, OpenCode, and npm availability evidence | Complete for rc.1; post-rc rename remains future work |
 | Claude and Codex plugin publication | Contact/submission path with required artifacts and status | Publication readiness, naming matrix, and May 12 dry-run evidence document plugin validation, clean-checkout Claude tag/install smoke, and Codex marketplace CLI shape | Needs explicit approval for real tag/push and marketplace submission |
 | Articles, tweets, and announcements | X thread, LinkedIn copy, GitHub release copy, push checklist | Draft launch collateral exists under rc.1 release docs | Needs URL-backed refresh |
-| AgentShield enterprise iteration | Policy gates, SARIF, packs, provenance, corpus, HTML reports, exception lifecycle audit, baseline drift Action/CLI surfaces, evidence-pack redaction, harness adapter registry, enterprise research roadmap, supply-chain hardened release path, CI-safe baseline fingerprints, corpus accuracy recommendations, remediation workflow phases, env proxy hijack corpus coverage, Mini Shai-Hulud full-campaign package IOCs, CI-provenance evidence packs, plugin-cache runtime-confidence triage, evidence-pack consumer readback, fleet-level evidence-pack routing, fleet review items, checksum-backed policy export, checksum-verified policy promotion, policy promotion review items, package-manager hardening drift detection, npm age-gate guidance correction, workflow action-runtime pin refresh, package-manager hardening Action outputs, policy-promotion Action outputs, ECC-Tools hosted consumption of promotion Action outputs, ECC-Tools operator-visible promotion output values, and ECC-Tools hosted promotion judge audit traces | PRs #53, #55-#64, #67-#69, and #78-#92 landed with test evidence, ECC-Tools #76 consumes the fleet-summary output in hosted security review, #77 surfaces source evidence paths in hosted finding output, and #78 links fleet routes to harness owner review; AgentShield #91 adds `agentshield policy export` bundles for branch-protection review and downstream promotion; AgentShield #92 adds `agentshield policy promote` with digest verification, tamper rejection, explicit pack selection, dry-run review, and JSON output before writing active policy; AgentShield commit `87aec47` adds `reviewItems` for digest evidence, owner review, protected rollout PR handoff, and runtime smoke testing with green local and remote CI; AgentShield commit `28d08c7` adds package-manager hardening drift detection for plaintext registry credentials, lifecycle-script enablement, and weak pnpm/Yarn release-age cooldowns with green local and remote CI; AgentShield commit `659f569` refreshes all workflow action runtime pins to SHA-pinned checkout v6.0.2 and setup-node v6.4.0 with green remote CI and no remaining action-runtime deprecation annotation; AgentShield commit `ee585cd` corrects npm release-age guidance by flagging unsupported npm age keys and keeping enforceable cooldown findings on pnpm/Yarn with green local and remote CI; AgentShield commit `1124535` exposes package-manager hardening status/count outputs and a redacted job-summary section for registry credentials, lifecycle scripts, and release-age gates with green local and remote CI; AgentShield commit `1593925` exposes policy-promotion status/count/digest outputs plus job-summary review items for owner approval, protected rollout, and runtime smoke, and marks runtime smoke verified when the same Action job scans with the promoted policy; ECC-Tools commit `8658951` routes those policy-promotion Action outputs into hosted security review findings and Hosted Promotion Readiness scoring; ECC-Tools commit `16c537f` renders policy-promotion status, pack, review item count, action-required count, and digest in hosted security job comments/check-runs; ECC-Tools commit `05d4e82` renders hosted promotion judge request fingerprints and allowed-citation counts without raw provider output; native PDF export deferred in favor of self-contained HTML plus print-to-PDF until explicit enterprise demand appears; `docs/architecture/agentshield-enterprise-research-roadmap.md` now has baseline drift, evidence-pack bundle, redaction, adapter-registry, supply-chain hardening, hashed baseline fingerprints, corpus accuracy recommendation, remediation workflow, env proxy hijack corpus, Mini Shai-Hulud full-campaign package-table, `ci-context.json` provenance, `plugin-cache` confidence, `evidence-pack inspect` readback, `evidence-pack fleet` routing, fleet `reviewItems`, policy export, policy promotion, policy promotion `reviewItems`, package-manager hardening Action outputs, policy-promotion Action outputs, hosted consumption of promotion Action outputs, operator-visible promotion output values, and hosted promotion judge audit traces landed | Next workflow automation should deepen live operator approval/readback after Marketplace/payment gates |
+| AgentShield enterprise iteration | Policy gates, SARIF, packs, provenance, corpus, HTML reports, exception lifecycle audit, baseline drift Action/CLI surfaces, evidence-pack redaction, harness adapter registry, enterprise research roadmap, supply-chain hardened release path, CI-safe baseline fingerprints, corpus accuracy recommendations, remediation workflow phases, env proxy hijack corpus coverage, Mini Shai-Hulud full-campaign package IOCs, CI-provenance evidence packs, plugin-cache runtime-confidence triage, evidence-pack consumer readback, fleet-level evidence-pack routing, fleet review items, fleet review ticket payloads, checksum-backed policy export, checksum-verified policy promotion, policy promotion review items, package-manager hardening drift detection, npm age-gate guidance correction, workflow action-runtime pin refresh, package-manager hardening Action outputs, policy-promotion Action outputs, ECC-Tools hosted consumption of promotion Action outputs, ECC-Tools operator-visible promotion output values, and ECC-Tools hosted promotion judge audit traces | PRs #53, #55-#64, #67-#69, and #78-#92 landed with test evidence, ECC-Tools #76 consumes the fleet-summary output in hosted security review, #77 surfaces source evidence paths in hosted finding output, and #78 links fleet routes to harness owner review; AgentShield #91 adds `agentshield policy export` bundles for branch-protection review and downstream promotion; AgentShield #92 adds `agentshield policy promote` with digest verification, tamper rejection, explicit pack selection, dry-run review, and JSON output before writing active policy; AgentShield commit `87aec47` adds `reviewItems` for digest evidence, owner review, protected rollout PR handoff, and runtime smoke testing with green local and remote CI; AgentShield commit `28d08c7` adds package-manager hardening drift detection for plaintext registry credentials, lifecycle-script enablement, and weak pnpm/Yarn release-age cooldowns with green local and remote CI; AgentShield commit `659f569` refreshes all workflow action runtime pins to SHA-pinned checkout v6.0.2 and setup-node v6.4.0 with green remote CI and no remaining action-runtime deprecation annotation; AgentShield commit `ee585cd` corrects npm release-age guidance by flagging unsupported npm age keys and keeping enforceable cooldown findings on pnpm/Yarn with green local and remote CI; AgentShield commit `1124535` exposes package-manager hardening status/count outputs and a redacted job-summary section for registry credentials, lifecycle scripts, and release-age gates with green local and remote CI; AgentShield commit `1593925` exposes policy-promotion status/count/digest outputs plus job-summary review items for owner approval, protected rollout, and runtime smoke, and marks runtime smoke verified when the same Action job scans with the promoted policy; AgentShield commit `840952a` adds Linear/operator-ready fleet review ticket payloads and expands current Mini Shai-Hulud IOC breadcrumbs with green local and remote CI; ECC-Tools commit `8658951` routes those policy-promotion Action outputs into hosted security review findings and Hosted Promotion Readiness scoring; ECC-Tools commit `16c537f` renders policy-promotion status, pack, review item count, action-required count, and digest in hosted security job comments/check-runs; ECC-Tools commit `05d4e82` renders hosted promotion judge request fingerprints and allowed-citation counts without raw provider output; native PDF export deferred in favor of self-contained HTML plus print-to-PDF until explicit enterprise demand appears; `docs/architecture/agentshield-enterprise-research-roadmap.md` now has baseline drift, evidence-pack bundle, redaction, adapter-registry, supply-chain hardening, hashed baseline fingerprints, corpus accuracy recommendation, remediation workflow, env proxy hijack corpus, Mini Shai-Hulud full-campaign package-table, `ci-context.json` provenance, `plugin-cache` confidence, `evidence-pack inspect` readback, `evidence-pack fleet` routing, fleet `reviewItems`, fleet review ticket payloads, policy export, policy promotion, policy promotion `reviewItems`, package-manager hardening Action outputs, policy-promotion Action outputs, hosted consumption of promotion Action outputs, operator-visible promotion output values, and hosted promotion judge audit traces landed | Next workflow automation should deepen live operator approval/readback after Marketplace/payment gates |
-| ECC Tools next-level app | Billing audit, PR checks, deep analyzer, sync backlog, evaluator/RAG corpus, analysis-depth readiness, hosted execution planning, hosted CI diagnostics, hosted security evidence review, hosted harness compatibility audit, hosted reference-set evaluation, hosted AI routing/cost review, hosted team backlog routing, hosted depth-plan check-run, PR-comment hosted job dispatch, hosted job result history/check-runs, hosted result status command, status-aware depth-plan recommendations, hosted promotion readiness, hosted promotion output scoring, hosted promotion retrieval planning, hosted promotion judge contract, gated hosted promotion judge execution, hosted promotion judge audit trace, payment-announcement readiness, billing announcement preflight, aggregate production billing KV readback, Marketplace webhook provenance, AgentShield fleet-summary hosted routing, hosted finding source-evidence surfacing, harness policy-route review, policy-promotion Action-output hosted telemetry, and operator-visible promotion output values | PRs #26-#43 plus #53-#78 landed with test evidence, including AgentShield evidence-pack gap routing, canonical bundle recognition, supply-chain signature gates, PR draft follow-up Linear tracking, evidence-backed/deep-ready repository classification, the `/api/analysis/depth-plan` hosted job plan, `/api/analysis/jobs/ci-diagnostics`, `/api/analysis/jobs/security-evidence-review`, `/api/analysis/jobs/harness-compatibility-audit`, `/api/analysis/jobs/reference-set-evaluation`, `/api/analysis/jobs/ai-routing-cost-review`, `/api/analysis/jobs/team-backlog-routing`, the `ECC Tools / Hosted Depth Plan` check-run, `/ecc-tools analyze --job ...` PR-comment dispatch, non-blocking per-hosted-job result check-runs backed by 30-day result cache records, `/ecc-tools analyze --job status` cache lookup, cache-aware next-job recommendations in the depth-plan check-run, the `ECC Tools / Hosted Promotion Readiness` corpus-backed PR check-run, deterministic hosted-output scoring against cached completed job artifacts/findings, ranked retrieval/model-prompt planning, the fail-closed `hosted-promotion-judge.v1` request contract, opt-in live model-judge execution behind hosted evidence, entitlement, budget, provider, executor, strict JSON, and citation gates, hosted promotion judge request fingerprints plus allowed-citation audit trails, a fail-closed `/api/billing/readiness` `announcementGate` for native GitHub payments claims, `npm run billing:announcement-gate` plus `--preflight` as the non-secret operator verifier, hosted security findings for AgentShield fleet summaries, an `Evidence` column in hosted finding comments/check-runs, hosted harness findings that route AgentShield fleet target paths to harness owners, ECC-Tools commit `8658951` routing AgentShield policy-promotion Action outputs into hosted security review and promotion-readiness scoring, ECC-Tools commit `16c537f` rendering policy-promotion status/pack/count/digest values directly in hosted security job comments/check-runs, ECC-Tools commit `05d4e82` rendering model-judge audit traces without exposing raw provider output, ECC-Tools commit `91a441b` adding the safe billing announcement preflight path, ECC-Tools commit `eb69412` recording the initial production readback state, ECC-Tools commit `95d0bec` adding `npm run billing:kv-readback` with 252 aggregate account-billing and billing-state records but 0 Marketplace Pro billing-state records, and ECC-Tools commit `2859678` requiring webhook-derived Marketplace provenance before announcement readiness | Next work is replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` and the live announcement gate |
+| ECC Tools next-level app | Billing audit, PR checks, deep analyzer, sync backlog, evaluator/RAG corpus, analysis-depth readiness, hosted execution planning, hosted CI diagnostics, hosted security evidence review, hosted harness compatibility audit, hosted reference-set evaluation, hosted AI routing/cost review, hosted team backlog routing, hosted depth-plan check-run, PR-comment hosted job dispatch, hosted job result history/check-runs, hosted result status command, status-aware depth-plan recommendations, hosted promotion readiness, hosted promotion output scoring, hosted promotion retrieval planning, hosted promotion judge contract, gated hosted promotion judge execution, hosted promotion judge audit trace, payment-announcement readiness, billing announcement preflight, aggregate production billing KV readback, Marketplace webhook provenance, target-account billing readback, Marketplace-source provenance counts, AgentShield fleet-summary hosted routing, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output hosted telemetry, and operator-visible promotion output values | PRs #26-#43 plus #53-#78 landed with test evidence, including AgentShield evidence-pack gap routing, canonical bundle recognition, supply-chain signature gates, PR draft follow-up Linear tracking, evidence-backed/deep-ready repository classification, the `/api/analysis/depth-plan` hosted job plan, `/api/analysis/jobs/ci-diagnostics`, `/api/analysis/jobs/security-evidence-review`, `/api/analysis/jobs/harness-compatibility-audit`, `/api/analysis/jobs/reference-set-evaluation`, `/api/analysis/jobs/ai-routing-cost-review`, `/api/analysis/jobs/team-backlog-routing`, the `ECC Tools / Hosted Depth Plan` check-run, `/ecc-tools analyze --job ...` PR-comment dispatch, non-blocking per-hosted-job result check-runs backed by 30-day result cache records, `/ecc-tools analyze --job status` cache lookup, cache-aware next-job recommendations in the depth-plan check-run, the `ECC Tools / Hosted Promotion Readiness` corpus-backed PR check-run, deterministic hosted-output scoring against cached completed job artifacts/findings, ranked retrieval/model-prompt planning, the fail-closed `hosted-promotion-judge.v1` request contract, opt-in live model-judge execution behind hosted evidence, entitlement, budget, provider, executor, strict JSON, and citation gates, hosted promotion judge request fingerprints plus allowed-citation audit trails, a fail-closed `/api/billing/readiness` `announcementGate` for native GitHub payments claims, `npm run billing:announcement-gate` plus `--preflight` as the non-secret operator verifier, hosted security findings for AgentShield fleet summaries, an `Evidence` column in hosted finding comments/check-runs, hosted harness findings that route AgentShield fleet target paths to harness owners, ECC-Tools commit `8658951` routing AgentShield policy-promotion Action outputs into hosted security review and promotion-readiness scoring, ECC-Tools commit `16c537f` rendering policy-promotion status/pack/count/digest values directly in hosted security job comments/check-runs, ECC-Tools commit `05d4e82` rendering model-judge audit traces without exposing raw provider output, ECC-Tools commit `91a441b` adding the safe billing announcement preflight path, ECC-Tools commit `eb69412` recording the initial production readback state, ECC-Tools commit `95d0bec` adding `npm run billing:kv-readback` with 253 aggregate account-billing and billing-state records but 0 Marketplace Pro billing-state records, ECC-Tools commit `2859678` requiring webhook-derived Marketplace provenance before announcement readiness, ECC-Tools commit `42653f9` adding Wrangler OAuth readback with live aggregate evidence of 253 account-billing records, 253 billing-state records, and 0 ready-like Marketplace Pro states, ECC-Tools commit `632e059` adding sanitized target-account readback that requires both target key families before `--require-ready` can pass, and ECC-Tools commit `d5f60db` adding sanitized Marketplace plan/action provenance counts; the 2026-05-18 live Wrangler OAuth recheck found 254 account-billing records, 254 billing-state records, 195 Marketplace-source records, 2 Marketplace webhook-provenance records, both `Open Source`, and 0 Marketplace Pro records, then updated Linear ITO-61 with the data/provisioning blocker | Next work is create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate |
 | GitGuardian/Dependabot/CodeRabbit-style checks | Non-blocking taxonomy, deterministic follow-up checks, and local supply-chain gates | ECC-Tools risk taxonomy check plus follow-up signals landed, including Skill Quality, Deep Analyzer Evidence, Analyzer Corpus Evidence, RAG/Evaluator Evidence, PR Review/Salvage Evidence, and AgentShield evidence-pack evidence; #1846 added npm registry signature gates; #1848 added the supply-chain incident-response playbook and `pull_request_target` cache-poisoning validator guard; #1851 added the privileged checkout credential-persistence guard; AgentShield #78, JARVIS #13, and ECC-Tools #53 applied the same hardening outside trunk | Current supply-chain gate complete; deeper hosted review features remain future |
 | Harness-agnostic learning system | Audit, adapter matrix, observability, traces, promotion loop | Audit/adapters/observability gates plus `docs/architecture/evaluator-rag-prototype.md`, `examples/evaluator-rag-prototype/`, and ECC-Tools PR #40 define read-only stale-salvage, billing-readiness, CI-failure-diagnosis, harness-config-quality, AgentShield policy-exception, skill-quality evidence, deep-analyzer evidence, and RAG/evaluator comparison scenarios with trace, report, playbook, verifier, and predictive-check artifacts; ECC-Tools PRs #68-#72 now turn that corpus into a deterministic PR check-run gate with cached hosted-output scoring, ranked retrieval candidates, a model prompt seed, a fail-closed hosted model-judge request contract, and opt-in live model execution behind strict hosted-evidence gates | Deterministic hosted PR check, cached output scoring, retrieval planning, judge contract, and gated model execution integrated |
-| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; the May 18 sync adds queue-zero/work-items state, #1970/#1971/#1972 merge evidence, ITO-57 current-head supply-chain refresh comment `0b9931b9-1556-4ebc-a70c-f3635557625d`, ECC platform progress comment `e32e5b7a-287b-4bf4-9ed7-314389a157e1`, and generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch |
+| Linear roadmap is detailed | Linear project status plus repo mirror | Repo mirror exists; issue creation was retried on 2026-05-12 and remains blocked by the workspace free issue limit; the May 18 sync adds queue-zero/work-items state, #1970/#1971/#1972/#1976 merge evidence, ITO-57 current-head supply-chain refresh comment `0b9931b9-1556-4ebc-a70c-f3635557625d`, ITO-57 defensive-deny scanner recheck reply `6fa15367-d994-4e53-ade3-9462477e1100`, ECC platform progress comment `e32e5b7a-287b-4bf4-9ed7-314389a157e1`, and generated `operator:dashboard` prompt-to-artifact audit for recurring status updates | Needs recurring status updates after each significant merge batch |
 | Flow separation and progress tracking | Flow lanes with owner artifacts and update cadence | This roadmap defines lanes below and `docs/architecture/progress-sync-contract.md` makes GitHub/Linear/handoff/roadmap sync part of the readiness gate | Active |
 | Realtime Linear sync | Project comments while issue/status capacity is blocked; issues later | ECC-Tools #39 implements opt-in Linear API sync for deferred follow-up backlog items, and ECC-Tools #54 adds copy-ready PR drafts to that backlog when draft PR shells are not opened; `docs/architecture/progress-sync-contract.md` defines the local file-backed realtime boundary while issue capacity is blocked; May 18 live connector comments were posted to ITO-57 and the ECC platform project after project status updates returned disabled | Needs workspace capacity/config rollout for productized issue sync |
 | Observability for self-use | Local readiness gate, traces, status snapshots, HUD/status contract, risk ledger, progress-sync contract | `npm run observability:ready` reports 21/21 | Complete for local gate |
@@ -684,8 +726,8 @@ repo evidence and merge commits.
 | Release and publication | rc.1 release docs, publication readiness doc | Naming matrix and plugin submission/contact checklist | Before any tag |
 | Harness OS core | Audit, adapter matrix, observability docs, `ecc2/` | HUD/session-control acceptance spec | Weekly until GA |
 | Evaluation and RAG | Reference-set validation, harness audit, traces, ECC-Tools corpus | Read-only evaluator/RAG prototype plus stale-salvage, billing-readiness, CI-failure-diagnosis, harness-config-quality, AgentShield policy-exception, skill-quality evidence, deep-analyzer evidence, and RAG/evaluator comparison fixtures; ECC-Tools #68 publishes the corpus as a hosted promotion readiness check-run, #69 scores cached hosted job outputs against the same corpus, #70 emits ranked retrieval candidates plus a model prompt seed, #71 adds a fail-closed hosted model-judge request contract, and #72 executes that judge only when explicitly enabled and backed by hosted retrieval citations; ECC-Tools `16c537f` surfaces policy-promotion Action output values in hosted security comments/checks; ECC-Tools `05d4e82` adds hosted model-judge audit traces with request fingerprints and allowed-citation counts | Marketplace Pro billing-state verification with webhook provenance |
-| AgentShield enterprise | AgentShield PR evidence and roadmap notes | Fleet routing landed in #89 after evidence-pack inspect/readback shipped in #88; #90 emits fleet `reviewItems`; #91 exports checksum-backed policy bundles; #92 promotes checksum-verified policies from those bundles into active policy files; AgentShield `87aec47` adds policy promotion `reviewItems`; `28d08c7` adds package-manager hardening drift detection; `659f569` refreshes workflow action runtime pins; `ee585cd` corrects unsupported npm release-age guidance and keeps enforceable cooldown findings on pnpm/Yarn; `1124535` exposes package-manager hardening Action outputs for CI/hosted routing; `1593925` exposes policy-promotion Action outputs and runtime-smoke job-summary evidence; ECC-Tools #76 consumes fleet summaries, #77 surfaces source evidence paths in hosted findings, #78 links fleet routes to harness owners, ECC-Tools `8658951` consumes policy-promotion Action outputs, and ECC-Tools `16c537f` renders operator-visible output values | Deepen live operator approval/readback after Marketplace/payment gates |
+| AgentShield enterprise | AgentShield PR evidence and roadmap notes | Fleet routing landed in #89 after evidence-pack inspect/readback shipped in #88; #90 emits fleet `reviewItems`; #91 exports checksum-backed policy bundles; #92 promotes checksum-verified policies from those bundles into active policy files; AgentShield `87aec47` adds policy promotion `reviewItems`; `28d08c7` adds package-manager hardening drift detection; `659f569` refreshes workflow action runtime pins; `ee585cd` corrects unsupported npm release-age guidance and keeps enforceable cooldown findings on pnpm/Yarn; `1124535` exposes package-manager hardening Action outputs for CI/hosted routing; `1593925` exposes policy-promotion Action outputs and runtime-smoke job-summary evidence; `840952a` adds fleet review ticket payloads and current Mini Shai-Hulud IOC breadcrumbs; ECC-Tools #76 consumes fleet summaries, #77 surfaces source evidence paths in hosted findings, #78 links fleet routes to harness owners, ECC-Tools `8658951` consumes policy-promotion Action outputs, and ECC-Tools `16c537f` renders operator-visible output values | Deepen live operator approval/readback after Marketplace/payment gates |
-| ECC Tools app | ECC-Tools PR evidence, billing audit, risk taxonomy, evaluator/RAG corpus | ECC-Tools #53 published the supply-chain workflow hardening branch, #54 tracks copy-ready PR drafts in the Linear/project backlog, #55 classifies analysis-depth readiness, #56 exposes the hosted execution plan, #57 executes the first hosted CI diagnostics job, #58 executes the hosted security evidence review job, #59 executes the hosted harness compatibility audit, #60 executes the hosted reference-set evaluation, #61 executes the hosted AI routing/cost review, #62 executes hosted team backlog routing, #63 publishes the hosted depth-plan check-run, #64 dispatches hosted jobs from PR comments, #65 persists hosted result history/check-runs, #66 exposes hosted job status from PR comments, #67 makes depth-plan recommendations cache-aware, #68 publishes hosted promotion readiness from the evaluator/RAG corpus, #69 scores cached hosted job outputs against that corpus, #70 emits ranked retrieval candidates plus a model prompt seed, #71 emits the gated `hosted-promotion-judge.v1` contract without live model calls, #72 adds opt-in live model-judge execution behind hosted-evidence and strict JSON/citation gates, #73 adds a fail-closed native-payments `announcementGate` to billing readiness, #74 adds `npm run billing:announcement-gate` for operator verification, #75 tightens the billing announcement gate for live Marketplace readback, #76 routes AgentShield fleet-summary evidence into hosted security findings, #77 adds source evidence paths to hosted finding output, #78 links AgentShield fleet target paths to hosted harness owner findings, `8658951` routes AgentShield policy-promotion Action outputs into hosted security review and promotion readiness, `16c537f` renders policy-promotion status/pack/count/digest values in hosted security comments/checks, `05d4e82` renders hosted promotion judge request fingerprints plus allowed-citation audit traces, `91a441b` adds billing announcement preflight output for required readback inputs, `eb69412` records the initial production readback state, `95d0bec` adds aggregate `billing:kv-readback` evidence, and `2859678` requires Marketplace webhook provenance in billing readiness | Replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then live readback and announcement gate |
+| ECC Tools app | ECC-Tools PR evidence, billing audit, risk taxonomy, evaluator/RAG corpus | ECC-Tools #53 published the supply-chain workflow hardening branch, #54 tracks copy-ready PR drafts in the Linear/project backlog, #55 classifies analysis-depth readiness, #56 exposes the hosted execution plan, #57 executes the first hosted CI diagnostics job, #58 executes the hosted security evidence review job, #59 executes the hosted harness compatibility audit, #60 executes the hosted reference-set evaluation, #61 executes the hosted AI routing/cost review, #62 executes hosted team backlog routing, #63 publishes the hosted depth-plan check-run, #64 dispatches hosted jobs from PR comments, #65 persists hosted result history/check-runs, #66 exposes hosted job status from PR comments, #67 makes depth-plan recommendations cache-aware, #68 publishes hosted promotion readiness from the evaluator/RAG corpus, #69 scores cached hosted job outputs against that corpus, #70 emits ranked retrieval candidates plus a model prompt seed, #71 emits the gated `hosted-promotion-judge.v1` contract without live model calls, #72 adds opt-in live model-judge execution behind hosted-evidence and strict JSON/citation gates, #73 adds a fail-closed native-payments `announcementGate` to billing readiness, #74 adds `npm run billing:announcement-gate` for operator verification, #75 tightens the billing announcement gate for live Marketplace readback, #76 routes AgentShield fleet-summary evidence into hosted security findings, #77 adds source evidence paths to hosted finding output, #78 links AgentShield fleet target paths to hosted harness owner findings, `8658951` routes AgentShield policy-promotion Action outputs into hosted security review and promotion readiness, `16c537f` renders policy-promotion status/pack/count/digest values in hosted security comments/checks, `05d4e82` renders hosted promotion judge request fingerprints plus allowed-citation audit traces, `91a441b` adds billing announcement preflight output for required readback inputs, `eb69412` records the initial production readback state, `95d0bec` adds aggregate `billing:kv-readback` evidence, `2859678` requires Marketplace webhook provenance in billing readiness, `42653f9` adds Wrangler OAuth readback with live aggregate production counts, and `632e059` adds sanitized target-account billing readback for the exact Marketplace test account | Create or verify Marketplace-managed Pro target billing-state with webhook provenance, then live target readback and announcement gate |
 | Linear progress | Linear project status updates, `docs/architecture/progress-sync-contract.md`, generated `operator:dashboard` output, and this mirror | Status update with queue/evidence/missing gates | Every significant merge batch |
 
 The project status update should always include:
@@ -932,15 +974,22 @@ Acceptance:
    security review and Hosted Promotion Readiness scoring, and ECC-Tools
    commit `16c537f` renders promotion status, pack, review item count,
    remaining action count, and digest in hosted security comments/check-runs.
+   AgentShield commit `840952a` adds Linear/operator-ready fleet review ticket
+   payloads and expands current Mini Shai-Hulud IOC breadcrumbs, with green
+   local and remote CI.
    ECC-Tools commit `05d4e82` adds hosted promotion judge audit traces with
    deterministic request fingerprints and allowed-citation counts, without
    exposing raw provider output.
    ECC-Tools commit `91a441b` adds a billing announcement preflight command
    for checking Marketplace readback inputs before privileged API calls.
    ECC-Tools commit `2859678` requires Marketplace webhook provenance in
-   billing-state before native-payments announcement readiness can pass. The
+   billing-state before native-payments announcement readiness can pass.
-   next slice is live operator approval/readback after the Cloudflare
+   ECC-Tools commit `42653f9` adds Wrangler OAuth KV readback and confirms the
-   credential and Marketplace/payment gates are fixed.
+   current blocker is not Cloudflare read access; it is the absence of a
+   ready-like Marketplace Pro billing-state record with webhook provenance.
+   ECC-Tools commit `632e059` adds sanitized target-account readback, so the
+   final operator gate should verify the exact Marketplace test account without
+   printing its login or raw KV key names.
 2. Run `npm run billing:announcement-gate -- --preflight --account
    <github-login>`, then run the same command without `--preflight` against a
    Marketplace-managed test account and require `announcementGate.ready ===

docs/ECC-2.0-REFERENCE-ARCHITECTURE.md

@@ -229,7 +229,8 @@ Required safeguards:
 ## Near-Term Implementation Order
 
 1. Extend the harness adapter matrix and public scorecard onramp.
-2. Add the release/name/plugin publication checklist with evidence fields.
+2. Keep the release/name/plugin publication checklist current with fresh
+   final-commit evidence before rc.1 publication.
 3. Define the HUD/status JSON contract and fixture directory.
 4. Start AgentShield policy schema plus SARIF fixtures.
 5. Audit ECC Tools billing and check-run surfaces.

docs/architecture/agentshield-enterprise-research-roadmap.md

@@ -1,6 +1,7 @@
 # AgentShield Enterprise Research Roadmap
 
-Generated: 2026-05-12; refreshed with May 16 AgentShield PR #87, #88, and #89 evidence.
+Generated: 2026-05-12; refreshed with May 18 AgentShield fleet-ticket and
+Mini Shai-Hulud IOC evidence.
 
 This is a planning artifact for the next AgentShield enterprise iteration. It
 does not modify AgentShield code. The goal is to turn the current scanner,
@@ -116,14 +117,21 @@ AgentShield PR #89 merged as
 `agentshield evidence-pack fleet <dirs...> [--json]`, verifies each pack through
 the inspect path, aggregates finding, policy, baseline, supply-chain, and
 remediation totals, and assigns each pack to a deterministic fleet route.
+AgentShield commit `840952a7a07f820f24081c43df656d7f7295f23b` adds
+Linear/operator-ready fleet review ticket payloads with priority, labels,
+titles, and Markdown bodies. The same commit expands current Mini
+Shai-Hulud/TanStack IOC coverage for the in-cluster Vault endpoint and
+temporary lockfile breadcrumb, with local typecheck, lint, full tests,
+`git diff --check`, and GitHub CI/Self-Scan/Action-test evidence.
 
 The next iteration after fleet routing should not be "add more regex rules" by
 default. ECC-Tools follow-up routing now consumes fleet summaries and surfaces
 source evidence paths in hosted findings, and the first cross-harness policy
 slice now links AgentShield fleet route target paths to harness-owner review.
 AgentShield fleet output now also emits `reviewItems` with source evidence paths
-and owner-ready recommendations for routed packs. The higher leverage move is
+and owner-ready recommendations plus copy-ready ticket payloads for routed
-durable policy export and workflow automation for routed fleet findings.
+packs. The higher leverage move is durable operator approval/readback and
+workflow automation for routed fleet findings.
 
 ## Enterprise Gaps
 

docs/drafts/release-1.10.1-announcement.md

@@ -0,0 +1,63 @@
+# ECC 1.10.1 release announcement draft
+
+ECC 1.10.1 is the follow-up stabilization release to 1.10.0.
+
+This release is focused on install correctness, cross-surface naming clarity, Windows/PowerShell recovery, Cursor project install correctness, and Claude Code hook compatibility. It is not a feature-heavy release.
+
+## What landed in the stabilization pass
+- npm/package/release surfaces are aligned and `ecc-universal@1.10.0` is live on npm
+- Windows locale/path and PowerShell install-path regressions fixed
+- Bash hook process-storm regression fixed
+- Claude Code 2.1.x hook schema compatibility fixed
+- Cursor native project install path repaired:
+  - `.cursor/hooks.json` now includes the required schema/version surface
+  - `.cursor/mcp.json` is written in the native Cursor project location
+- continuous-learning-v2 now accepts `claude-desktop` as a valid entrypoint
+- Windows observe path now skips `AppInstallerPythonRedirector.exe`
+- docs now distinguish plugin installs from full manual installs more clearly
+
+## What 1.10.1 is for
+- make the current install surfaces predictable
+- reduce stale naming/install guidance
+- close the follow-up regressions from 1.10.0
+- give users one stable update point instead of piecing together fixes across issues and discussions
+
+## Included release fixes
+- `#1543` Cursor native project hook + MCP install repair
+- `#1524` Claude Code v2.1.116 argv-dup mitigation in `settings.local.json`
+- `#1522` continuous-learning-v2 accepts `claude-desktop` as a valid entrypoint
+- `#1511` Windows observe path skips `AppInstallerPythonRedirector.exe`
+- `#1546` continuous-learning-v2 plugin quick start correction
+- `#1535` hero overflow follow-up
+
+## Important naming clarification
+- Claude marketplace/plugin identifier: `everything-claude-code@everything-claude-code`
+- npm package: `ecc-universal`
+- GitHub repo: `affaan-m/everything-claude-code`
+
+Those are intentionally different surfaces. The plugin identifier follows Anthropic marketplace rules; the npm package remains `ecc-universal`.
+
+## Still being monitored
+This should be announced as a stabilization release, not as “all edge cases are solved.”
+
+We are still watching for:
+- OS-specific edge cases across macOS, Windows, Linux
+- shell-specific behavior differences
+- Cursor vs Claude plugin install-path mismatches that only appear in older or mixed installs
+- third-party provider/tool-name compatibility reports that still need current-main repro
+
+Current watch-list examples:
+- `#1520` likely obsolete unless repro returns on the current installer
+- `#1516` not gating unless reproduced on current `main`
+- `#1484` remains a Windows umbrella/watch-list issue rather than an active release gate
+
+## Recommended update guidance
+If you hit 1.10.0 install/runtime problems:
+1. update to the latest package/plugin surface
+2. avoid mixing plugin install plus full manual repo copy unless the docs explicitly say to
+3. if problems persist, report:
+   - OS + shell
+   - Claude Code/Cursor version
+   - install method used
+   - exact stderr/output
+   - whether the issue is plugin install, npm install, repo sync, or Cursor project install

docs/releases/2.0.0-rc.1/launch-checklist.md

@@ -12,6 +12,8 @@
 - verify `preview-pack-manifest.md` lists the public release, Hermes, adapter,
   observability, publication, and announcement artifacts before running final
   publish checks
+- verify `release-name-plugin-publication-checklist-2026-05-18.md` still
+  matches current GitHub, npm, Claude, Codex, OpenCode, and billing surfaces
 - keep private tokens, personal docs, and raw workspace exports out of the repo
 
 ## Release Surface
@@ -19,6 +21,9 @@
 - verify package, plugin, marketplace, OpenCode, and agent metadata stays at `2.0.0-rc.1`
 - verify `ecc2/Cargo.toml` stays at `0.1.0` for rc.1; `ecc2/` remains an alpha control-plane scaffold
 - complete `publication-readiness.md` with fresh evidence before any GitHub release, npm publish, plugin submission, or announcement post
+- rerun the release name/plugin publication checklist before creating a
+  GitHub prerelease, publishing npm, pushing Claude plugin tags, recording the
+  Codex marketplace path, or posting public copy
 - include `publication-evidence-2026-05-17.md` and
   `operator-readiness-dashboard-2026-05-17.md` in the final evidence review,
   then rerun publish-facing checks from the exact release commit

docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md

@@ -2,8 +2,8 @@
 
 This dashboard is generated by `npm run operator:dashboard`. It is an operator snapshot, not release approval.
 
-Generated: 2026-05-18T04:36:06.644Z
+Generated: 2026-05-18T14:28:49.379Z
-Commit: c276639bc7571bb7624b5917dfdb8a7735531714
+Commit: 1571494573f8348d6520b7b58f00885ce9d75834
 Status: work remaining
 
 ## Current Status
@@ -13,7 +13,7 @@ Status: work remaining
 | PR queue | Current | 0 open PRs across tracked repos |
 | Issue queue | Current | 0 open issues across tracked repos |
 | Discussions | Current | 0 need maintainer touch; 0 missing accepted answer |
-| Local worktree | Current | 0 blocking dirty files; 1 ignored dirty entries |
+| Local worktree | Current | 0 blocking dirty files; 0 ignored dirty entries |
 | Dashboard generation | Current | platform audit ready: true; GitHub skipped: false |
 | Publication | Not complete | release, npm, plugin, billing, and announcement gates are tracked below |
 
@@ -21,16 +21,16 @@ Status: work remaining
 
 | Objective requirement | Artifact or gate | Status | Evidence | Gap |
 | --- | --- | --- | --- | --- |
-| Keep public PRs below 20 | scripts/platform-audit.js live GitHub sweep | current | 0 open PRs across 5 tracked repos | repeat before release |
+| Keep public PRs below 20 | scripts/platform-audit.js live GitHub sweep plus owner-wide queue cleanup ledger | current | 0 open PRs across 5 tracked repos; 0 owner-wide open PRs after cleanup | repeat platform:audit and owner-wide gh search before release |
-| Keep public issues below 20 | scripts/platform-audit.js live GitHub sweep | current | 0 open issues across 5 tracked repos | repeat before release |
+| Keep public issues below 20 | scripts/platform-audit.js live GitHub sweep plus owner-wide queue cleanup ledger | current | 0 open issues across 5 tracked repos; 0 owner-wide open issues after cleanup | repeat platform:audit and owner-wide gh search before release |
 | Respond and manage repository discussions | scripts/platform-audit.js discussion summary | current | 0 need maintainer touch; 0 answerable discussions missing accepted answer | repeat before release |
 | Build ITO-44 completion dashboard into a repeatable command | npm run operator:dashboard | complete | operator:dashboard package script exists | keep generated dashboard attached to publication evidence |
 | ECC 2.0 preview pack ready | docs/releases/2.0.0-rc.1/preview-pack-manifest.md | current | preview pack manifest and deterministic smoke gate are in-tree | repeat clean-checkout preview-pack smoke before publication |
 | Include Hermes specialized skills safely | docs/HERMES-SETUP.md and skills/hermes-imports/SKILL.md | current | Hermes setup/import artifacts are covered by preview-pack smoke | repeat preview-pack smoke before release review |
-| Prepare name-change, Claude plugin, and Codex plugin paths | naming-and-publication-matrix plus publication-readiness | in_progress | naming matrix and plugin readiness gates exist | real tag/push, marketplace submission, and final channel choice remain approval-gated |
+| Prepare name-change, Claude plugin, and Codex plugin paths | naming-and-publication-matrix plus release-name-plugin-publication checklist plus publication-readiness | in_progress | naming matrix, release publication checklist, and plugin readiness gates exist | real tag/push, marketplace submission, and final channel choice remain approval-gated |
 | Prepare release notes, articles, tweets, and push notifications | docs/releases/2.0.0-rc.1 social and release-copy files | in_progress | release notes, X thread, LinkedIn draft, and URL ledger are present | final live release/npm/plugin/billing URLs and publish approval still pending |
-| Advance AgentShield enterprise iteration | AgentShield PR evidence plus enterprise roadmap | in_progress | AgentShield policy promotion `reviewItems` landed in `87aec47`; package-manager hardening drift detection landed in `28d08c7`; workflow action runtime pins were refreshed in `659f569`; npm age-gate guidance was corrected in `ee585cd`; package-manager hardening Action outputs landed in `1124535`; policy-promotion Action outputs and runtime-smoke job-summary evidence landed in `1593925`; ECC-Tools consumes those outputs in `8658951`, surfaces operator-readable status/pack/count/digest telemetry in `16c537f`, and renders hosted promotion judge audit traces in `05d4e82`; all are mirrored in the GA roadmap | deepen live operator approval/readback after Marketplace/payment gates |
+| Advance AgentShield enterprise iteration | AgentShield PR evidence plus enterprise roadmap | in_progress | AgentShield policy promotion `reviewItems` landed in `87aec47`; package-manager hardening drift detection landed in `28d08c7`; workflow action runtime pins were refreshed in `659f569`; npm age-gate guidance was corrected in `ee585cd`; package-manager hardening Action outputs landed in `1124535`; policy-promotion Action outputs and runtime-smoke job-summary evidence landed in `1593925`; fleet review ticket payloads and current Mini Shai-Hulud IOC breadcrumbs landed in `840952a`; ECC-Tools consumes those outputs in `8658951`, surfaces operator-readable status/pack/count/digest telemetry in `16c537f`, and renders hosted promotion judge audit traces in `05d4e82`; all are mirrored in the GA roadmap | deepen live operator approval/readback after Marketplace/payment gates |
-| Advance ECC Tools native payments and AI-native harness-agnostic app | ECC Tools PR evidence, billing gate, hosted analysis lanes | in_progress | billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, and provenance-aware Marketplace billing-state gates are mirrored in the GA roadmap | replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` and the live announcement gate |
+| Advance ECC Tools native payments and AI-native harness-agnostic app | ECC Tools PR evidence, billing gate, hosted analysis lanes | in_progress | billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, Wrangler OAuth readback, target-account billing readback, provenance-aware Marketplace billing-state gates, and sanitized Marketplace plan/action provenance counts are mirrored in the GA roadmap | create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate |
 | Audit, prune, or attach legacy work | docs/stale-pr-salvage-ledger.md and legacy inventory | current | legacy salvage ledger and inventory are current; all localization tails are attached to Linear ITO-55 for manual language-owner review | repeat legacy scan before release |
 | Keep Linear roadmap detailed and progress tracking synchronized | Linear project mirror plus progress-sync contract | current | Linear live sync and project progress surface are current; progress-sync contract defines the file-backed work-items/status path | repeat Linear/project status update and local work-items sync after each significant merge batch |
 | Provide ECC 2.0 observability for self-use | observability readiness gate | complete | observability:ready command and readiness doc exist | runtime/dashboard implementation can continue after release gates |
@@ -41,11 +41,11 @@ Status: work remaining
 - `naming-and-plugin-publication`: real tag/push, marketplace submission, and final channel choice remain approval-gated
 - `release-notes-and-notifications`: final live release/npm/plugin/billing URLs and publish approval still pending
 - `agentshield-enterprise-iteration`: deepen live operator approval/readback after Marketplace/payment gates
-- `ecc-tools-next-level`: replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` and the live announcement gate
+- `ecc-tools-next-level`: create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate
 
 ## Next Work Order
 
 1. Regenerate this dashboard from the final release commit before publication evidence is recorded.
 2. Repeat ITO-57 Linear/project status sync after the next significant merge batch or advisory-source refresh.
-3. Replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` and the live announcement gate before publishing native-payments copy.
+3. Create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate before publishing native-payments copy.
 4. Resume ITO-45, ITO-46, and ITO-56 only after the generated dashboard and final release gates are refreshed.

docs/releases/2.0.0-rc.1/owner-queue-cleanup-2026-05-18.md

@@ -0,0 +1,65 @@
+# Owner-Wide Queue Cleanup - 2026-05-18
+
+This note records the live GitHub queue cleanup outside the five ECC release
+repos tracked by `scripts/platform-audit.js`.
+
+## Commands
+
+```bash
+gh search prs --owner affaan-m --state open --json repository,number,title,url,author,updatedAt --limit 100
+gh search issues --owner affaan-m --state open --json repository,number,title,url,updatedAt --limit 100
+```
+
+## Result
+
+- Owner-wide open PRs after cleanup: 0.
+- Owner-wide open issues after cleanup: 0.
+- Stale dependency-bot PRs closed: 24.
+- Stale legacy payments/0EM roadmap issues closed: 72.
+- Final stale/generated/manual-review PRs closed: 9.
+- Final legacy/outreach/placeholder issues closed: 5.
+- Archived repos temporarily unarchived for stale dependency PR closure and
+  restored to archived state:
+  `affaan-m/stoictradingAI`, `affaan-m/dprc-autotrader-v2`,
+  `affaan-m/polycule-secure`, and `affaan-m/pragmAItism_defAInce`.
+- The final archived-repo sweep temporarily unarchived and restored
+  `affaan-m/dprc-autotrader-v2` and `affaan-m/stoictradingAI`.
+
+## Final PR Disposition
+
+- `affaan-m/dprc-autotrader-v2#5`: closed stale generated ECC bundle with
+  failing checks and dependency-update base.
+- `affaan-m/x-algorithm-score#2`: closed stale/conflicting external feature
+  PR with accidental local AI-tool directories noted in the PR body.
+- `affaan-m/dexploy#28`: closed stale generated ECC skill PR with requested
+  changes.
+- `affaan-m/zenith#5`: closed stale generated ECC skill PR.
+- `affaan-m/zenith#4`: closed test/noise PR whose diff only added a
+  non-actionable script comment.
+- `affaan-m/affaan-m#1`: closed stale/conflicting third-party README-card PR.
+- `affaan-m/affaanmustafa.com#1`: closed stale Cloudflare Worker-name PR with
+  requested changes.
+- `affaan-m/0em-payments-dashboard#11`: closed stale/conflicting Cloudflare
+  Worker-name PR.
+- `affaan-m/0em-payments-dashboard#3`: closed stale/conflicting Cloudflare
+  Worker-name PR.
+
+## Final Issue Disposition
+
+- `affaan-m/dprc-autotrader-v2#3`: closed public integration pitch as not
+  planned for the archived repo.
+- `affaan-m/stoictradingAI#20`: closed public outreach question as not planned
+  for the archived repo.
+- `affaan-m/dexploy#27`: closed stale internal skill-creator test issue.
+- `affaan-m/dexploy#25`: preserved useful deployment/localStorage and
+  Cloudflare findings in Linear `ITO-62`, then closed the stale GitHub issue.
+- `affaan-m/telegram-mcp-ts#1`: closed stale empty placeholder issue.
+
+## Disposition
+
+The closed dependency PRs were stale generated version bumps and should be
+regenerated from current bases if still needed. The closed generated ECC bundle
+PRs should be regenerated from the current ECC Tools flow if those repositories
+become active again. The closed legacy payments/0EM issues were old planning
+items superseded by the ECC Tools native-payments, hosted analysis,
+billing-readback, and Linear/project roadmap lanes.

docs/releases/2.0.0-rc.1/preview-pack-manifest.md

@@ -15,7 +15,7 @@ surfaces, or posting announcements.
 | `docs/architecture/cross-harness.md` | Shared substrate model for Claude Code, Codex, OpenCode, Cursor, Gemini, Hermes, and terminal-only use | Names portability boundaries and does not claim unsupported native parity |
 | `docs/architecture/harness-adapter-compliance.md` | Adapter matrix and scorecard | Verified by `npm run harness:adapters -- --check` |
 | `docs/architecture/observability-readiness.md` | Local operator-readiness gate | Verified by `npm run observability:ready` |
-| `docs/architecture/progress-sync-contract.md` | GitHub, Linear, handoff, roadmap, and work-item sync boundary | Checked by `node scripts/platform-audit.js --format json --allow-untracked docs/drafts/` |
+| `docs/architecture/progress-sync-contract.md` | GitHub, Linear, handoff, roadmap, and work-item sync boundary | Checked by `node scripts/platform-audit.js --json` |
 | `scripts/preview-pack-smoke.js` | Deterministic preview-pack smoke gate | Verified by `npm run preview-pack:smoke` |
 | `docs/releases/2.0.0-rc.1/release-notes.md` | GitHub release copy source | Must be refreshed with final live release/package/plugin URLs before publication |
 | `docs/releases/2.0.0-rc.1/quickstart.md` | Clone-to-first-workflow path | Covers clone, install, verify, first skill, and harness switch |
@@ -24,11 +24,12 @@ surfaces, or posting announcements.
 | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-15.md` | Current May 15 queue, roadmap, security, supply-chain watch, no-lifecycle CI install hardening, AgentShield #86 evidence-pack provenance, ECC Tools billing-gate, Actions cache purge, and `ecc2` test evidence through PR #1941 | Must be superseded by a final clean-checkout evidence file before real publication |
 | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-16.md` | Current May 16/17 queue cleanup, recsys skill merge, GateGuard triage, PR #1947 supply-chain protection, AgentShield #87 plugin-cache confidence evidence, AgentShield #88 evidence-pack inspect/readback, AgentShield #89 evidence-pack fleet routing, AgentShield #90 fleet review items, AgentShield #91 policy export, AgentShield #92 policy promotion, ECC-Tools #76 fleet-summary consumption, ECC-Tools #77 hosted finding evidence paths, ECC-Tools #78 harness policy-route linking, dashboard refresh, and combined Node/Rust/release-surface gate evidence through the May 16 mirror | Must still be repeated from a strict clean checkout before real publication |
 | `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-17.md` | May 17 queue-zero state, Japanese localization merge, Dependabot TypeScript and Node type merges, post-merge ja-JP lint repair, Mini Shai-Hulud/TanStack protection recheck, npm audit/signature checks, legacy and Linear progress routing, deterministic preview-pack smoke, operator dashboard refresh, Linear sync, and GitHub CI evidence for `27dc2918` | Superseded by the May 18 evidence snapshot; repeat from a strict clean checkout before real publication |
-| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` | Current May 18 queue-zero state, #1970/#1971/#1972 merge batch, current-head Mini Shai-Hulud/TanStack protection recheck, no-lifecycle install, npm audit/signature checks, AgentShield project `.claude` scan, work-items sync, Linear sync, operator dashboard refresh, and Supply-Chain Watch success for `3b7e0ba3` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication |
+| `docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md` | Current May 18 queue-zero state, #1970/#1971/#1972 merge batch, #1978 review/closure, current-head Mini Shai-Hulud/TanStack protection recheck, no-lifecycle install, npm audit/signature checks, AgentShield `840952a` enterprise/IOC evidence mirror, work-items sync, Linear sync, operator dashboard refresh, and current-head CI/security scan success for `99e01ded` | Current strongest readiness snapshot; must still be repeated from a strict clean checkout before real publication |
 | `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-17.md` | Previous prompt-to-artifact operator dashboard | Superseded by the May 18 generated dashboard |
 | `docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Current prompt-to-artifact operator dashboard | Shows PR/issue/discussion/platform/supply-chain gates current and publication, plugin, billing, AgentShield, ECC Tools, legacy, and Linear productization gaps still open |
 | `docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-18.md` | Live URL and approval-gated URL ledger for release copy | Must be regenerated from the final release commit before public announcements |
 | `docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md` | Naming, slug, and publication-path decision record | Keeps `Everything Claude Code / ECC`, npm `ecc-universal`, and plugin slug `ecc` for rc.1 |
+| `docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md` | Release name, package, Claude plugin, Codex plugin, and publication-order checklist | Freezes rc.1 identity and requires final commit evidence before release, npm, plugin, billing, or announcement actions |
 | `docs/releases/2.0.0-rc.1/x-thread.md` | X launch draft | Must replace placeholders with live URLs after release/package/plugin publication |
 | `docs/releases/2.0.0-rc.1/linkedin-post.md` | LinkedIn launch draft | Must replace placeholders with live URLs after release/package/plugin publication |
 | `docs/releases/2.0.0-rc.1/article-outline.md` | Longform launch outline | Must stay release-candidate framed until GA evidence exists |
@@ -72,7 +73,7 @@ Run these from the exact release commit before publication:
 
 ```bash
 git status --short --branch
-node scripts/platform-audit.js --format json --allow-untracked docs/drafts/
+node scripts/platform-audit.js --json
 npm run preview-pack:smoke
 npm run harness:adapters -- --check
 npm run harness:audit -- --format json
@@ -91,6 +92,8 @@ The preview pack is assembled, but publication is still blocked until these live
 surfaces exist and are recorded in a final evidence file:
 
 - final release URL ledger regenerated from the intended release commit;
+- final release name/plugin publication checklist rerun from the intended
+  release commit;
 - GitHub prerelease `v2.0.0-rc.1`;
 - npm `ecc-universal@2.0.0-rc.1` on the `next` dist-tag;
 - Claude plugin tag / marketplace propagation for `ecc@ecc`;

docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md

@@ -7,10 +7,10 @@ npm publication, plugin tag, marketplace submission, or announcement post.
 
 | Field | Evidence |
 | --- | --- |
-| Upstream main | `81fca2cea6f1399c52c8faa70f9a17e42f0bd447` |
+| Upstream main | `1571494573f8348d6520b7b58f00885ce9d75834` |
 | Git remote | `https://github.com/affaan-m/everything-claude-code.git` |
-| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, catalog/operator dashboard refresh, Mini Shai-Hulud/TanStack protection recheck, current-head CI/security scan, work-items sync, and Linear progress sync |
+| Evidence scope | Current `main` after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 `uncloud` skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, PR #1978 review/closure, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, AgentShield `840952a` fleet-ticket and Mini Shai-Hulud IOC evidence mirror, Mini Shai-Hulud/TanStack protection recheck, defensive-deny IOC scanner hardening, release name/plugin publication checklist, readiness/smoke gate enforcement for that checklist, current-head CI/security scan, work-items sync, and Linear progress sync |
-| Local status caveat | `git status --short --branch` showed `## main...origin/main` plus unrelated untracked `docs/drafts/`; generated evidence files are committed after the source snapshot they describe |
+| Local status caveat | `git status --short --branch` was clean at dashboard generation time; generated evidence files are committed after the source snapshot they describe |
 
 The actual release operator should repeat all publish-facing checks from the
 final release commit with a strictly clean checkout before publishing.
@@ -24,7 +24,7 @@ final release commit with a strictly clean checkout before publishing.
 | Discussion audit | `npm run discussion:audit -- --json` | Ready; 58 sampled discussions in `affaan-m/everything-claude-code`, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors |
 | Platform audit | `node scripts/platform-audit.js --json --allow-untracked docs/drafts/` | Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files |
 | Work-items sync | `node scripts/work-items.js sync-github --repo <tracked-repo>` for five tracked repos; `node scripts/status.js --json`; `node scripts/work-items.js list --json` | All five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items |
-| Operator dashboard | `node scripts/operator-readiness-dashboard.js --markdown --allow-untracked docs/drafts/ --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `81fca2cea6f1399c52c8faa70f9a17e42f0bd447`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated |
+| Operator dashboard | `npm run operator:dashboard -- --markdown --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.md` | Generated current dashboard for `1571494573f8348d6520b7b58f00885ce9d75834`; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated; AgentShield enterprise evidence now includes `840952a`; ECC Tools target-account billing readback remains the documented native-payments gate; the naming/plugin row still requires the release-name/plugin publication checklist |
 
 Tracked repositories in the platform audit and work-items sync were:
 
@@ -44,6 +44,15 @@ Tracked repositories in the platform audit and work-items sync were:
 | PR #1973 | Merged stale `skills/strategic-compact/suggest-compact.sh` removal after confirming the active hook is `scripts/hooks/suggest-compact.js`; remote main includes `812d4d06` |
 | Issue #1974 | Closed after verifying current `origin/main` already reads the latest cumulative metrics bridge cost row and focused cost/metrics tests pass |
 | Catalog/operator refresh | Pushed `81fca2ce` to refresh generated catalog count, URL ledger, and operator dashboard state after #1973/#1974 |
+| PR #1976 | Merged provider response hardening for OpenAI-compatible and AstraFlow providers; main includes `eb0d8939` follow-up guards for empty/filtered provider choices, missing OpenAI `response.usage`, shared filtered-response error text, and credential-less provider construction validation |
+| Provider guard validation | `uv run --extra dev pytest -q tests/test_provider_tools.py tests/test_astraflow_provider.py`, `uv run --extra dev pytest -q`, `node tests/run-all.js`, and `git diff --check` passed before merging #1976 follow-up into main: 11 provider-focused Python tests, 76 full Python tests, 2509 Node tests, and clean whitespace checks |
+| Defensive-deny IOC scanner hardening | Pushed `04d4d819` so explicit Claude `permissions.deny` IOC entries are treated as defensive controls while the same IOC still fails in hooks, tasks, scripts, locks, and payload files; local `npm test` passed 2511/2511 and current-head CI `26017368895` passed 37/37 |
+| Release name/plugin publication checklist | Pushed `6c0fbfb6` to add `docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md`; the artifact freezes rc.1 as Everything Claude Code / ECC, keeps npm `ecc-universal`, keeps Claude/Codex plugin slug `ecc`, cites current Anthropic/OpenAI plugin publication paths, and blocks rename/npm publish/plugin tag/submission/billing/social actions until final release evidence exists; GitHub Actions CI `26034898420` passed |
+| Dashboard and preview-pack checklist enforcement | Added `680aeff0` so `scripts/operator-readiness-dashboard.js` and `scripts/preview-pack-smoke.js` require the release-name/plugin publication checklist; local dashboard and smoke tests passed and preview-pack smoke now enforces 26 required artifacts |
+| AgentShield enterprise evidence mirror | Added `2ba0c62d` and refreshed the dashboard generator/GA roadmap/AgentShield enterprise roadmap so the ECC release evidence names AgentShield `840952a` fleet review ticket payloads and current Mini Shai-Hulud IOC breadcrumb coverage |
+| PR #1978 | Closed broad/failing outside Excel harness PR after review; recorded a corrected split path for a future smaller Excel harness proposal, install-target/tooling PR, plugin-runtime PR, and translation-automation PR |
+| Announcement draft tracking | Added `docs/drafts/release-1.10.1-announcement.md` so the stabilization announcement draft is tracked instead of remaining as release-blocking untracked local state |
+| Clean-worktree preview-pack smoke | Detached worktree at `680aeff0fb9a8598858e3105ba4742973ef386ab`; `node scripts/preview-pack-smoke.js --root <worktree> --format json` passed 5/5 with digest `0ed831dbd0cf`; 26 required artifacts, final verification commands, Hermes public sanitization boundary, and approval-gated publication blockers were all preserved |
 | Public queues | Rechecked after the merge and issue-closure batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos |
 
 ## Supply-Chain And Security Evidence
@@ -53,22 +62,22 @@ Tracked repositories in the platform audit and work-items sync were:
 | Repo IOC scan | `npm run security:ioc-scan` | Passed; 198 files inspected |
 | Home persistence IOC scan | `node scripts/ci/scan-supply-chain-iocs.js --home --json` | Passed; 200 files inspected; `findings: []` |
 | Narrow active persistence sweep | Targeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, `/tmp`, and `/private/tmp` campaign paths | Existing active targets: 2; no campaign marker hits |
-| Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 18 passed, 0 failed |
+| Scanner fixture tests | `node tests/ci/scan-supply-chain-iocs.test.js` | 20 passed, 0 failed, including defensive Claude deny-wall pass and hook-with-same-IOC fail-closed coverage |
 | Advisory source refresh | `node scripts/ci/supply-chain-advisory-sources.js --refresh --json` | Ready with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK |
 | No-lifecycle install | `npm ci --ignore-scripts` | Completed cleanly; 213 packages installed, 0 vulnerabilities |
 | npm audit | `npm audit --audit-level=high` | 0 vulnerabilities |
 | npm signatures | `npm audit signatures` | 213 verified registry signatures; 17 verified attestations |
 | Workflow security | `node scripts/ci/validate-workflow-security.js` | Validated 8 workflow files |
 | AgentShield project scan | `npx --no-install ecc-agentshield scan --format json` | Grade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings |
-| Current-head CI security scan | `gh run view 26011460500 --repo affaan-m/everything-claude-code --json status,conclusion,jobs,url` | Completed successfully for `81fca2cea6f1399c52c8faa70f9a17e42f0bd447`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan |
+| Current-head CI security scan | `gh run view 26017368895 --repo affaan-m/everything-claude-code --json status,conclusion,jobs,url` | Completed successfully for `04d4d81938b20ac2bac1f0025145ab77d6a59f5f`; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan |
 | Latest Supply-Chain Watch | `gh run view 26010432490 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,url` | Completed successfully for `25ac57ac40e9fc5a0606e76e6339e72c79748c99`; rerun from the final release commit before publication |
 
 ## Linear Progress Sync
 
 | Surface | Evidence |
 | --- | --- |
-| ITO-57 issue comment | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972 merge evidence, supply-chain verification, current-head watch URL, deferred gates, and next slices |
+| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit |
-| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, and remaining-gate state at the project level |
+| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, #1976, and remaining-gate state at the project level |
 | Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface |
 
 ## Current Publication Blockers
@@ -81,18 +90,32 @@ Tracked repositories in the platform audit and work-items sync were:
   Plugin Directory publishing remains blocked on OpenAI's self-serve publishing
   surface.
 - ECC Tools billing/native-payments copy remains blocked until a Marketplace
-  purchase/webhook path writes production `account-billing:*` and
+  Pro purchase/webhook path writes ready production `billing-state:*`
-  `billing-state:*` records, then `npm run billing:announcement-gate --
+  provenance for the target Marketplace test account, then
-  --account <github-login>` returns an announcement-ready gate.
+  `npm run billing:kv-readback -- --account <github-login> --require-ready`
+  with working Cloudflare API auth or repaired Wrangler OAuth, followed by
+  `npm run billing:announcement-gate -- --account <github-login>`, return
+  announcement-ready gates. The latest API-authenticated aggregate readback
+  from the ECC vault Cloudflare credential found 253 `account-billing:*`
+  records, 253 `billing-state:*` records, 0 Marketplace Pro states, 0
+  ready-like Marketplace Pro states, and 0 parse failures; local Wrangler OAuth
+  currently fails with Cloudflare authentication error `10000`. ECC-Tools
+  commit `632e059` adds the follow-up target-account readback mode, redacts
+  the account login and raw KV key names, and requires both target key families
+  before `--require-ready` can pass. Linear ITO-61 now tracks the exact
+  target-account acceptance criteria.
 - Release notes, X, LinkedIn, GitHub release, and longform copy still need final
   live URLs after release/package/plugin URLs exist.
-- The local checkout still has unrelated untracked `docs/drafts/`, so a strict
+- The local checkout is clean after the dashboard/evidence refresh, but a
-  clean-checkout release pass remains required before real publication.
+  strict clean-checkout release pass remains required before real publication.
 
 ## Result
 
 The tracked public PR queue, issue queue, discussion queue, local work-items
-bridge, and Mini Shai-Hulud/TanStack protection loop are current on
+bridge, release-name/plugin publication gate, and Mini Shai-Hulud/TanStack
-May 18, 2026 for `81fca2ce`. This improves publication readiness but does not
+protection loop are current on May 18, 2026 for current `main` through
-replace the approval-gated release, package, plugin, billing, and announcement
+`15714945`, with follow-up ECC Tools billing-gate hardening in `632e059`
-steps in `publication-readiness.md`.
+and AgentShield enterprise hardening in `840952a`.
+This improves publication readiness but does not replace the approval-gated
+release, package, plugin, billing, and announcement steps in
+`publication-readiness.md`.

docs/releases/2.0.0-rc.1/publication-readiness.md

@@ -6,6 +6,9 @@ URLs from the exact commit being released.
 
 For the current rc.1 naming decision and package/plugin publication path, see
 [`naming-and-publication-matrix.md`](naming-and-publication-matrix.md).
+For the May 18 release name, package, Claude plugin, Codex plugin, and
+publication-order gate, see
+[`release-name-plugin-publication-checklist-2026-05-18.md`](release-name-plugin-publication-checklist-2026-05-18.md).
 For the assembled rc.1 preview pack boundary, see
 [`preview-pack-manifest.md`](preview-pack-manifest.md).
 For the May 12 dry-run evidence pass, see
@@ -36,10 +39,11 @@ routing, deterministic preview-pack smoke gate, and current operator dashboard
 refresh, see
 [`publication-evidence-2026-05-17.md`](publication-evidence-2026-05-17.md).
 For the May 18 current-head queue, workflow-security/metrics/uncloud merge
-batch, Mini Shai-Hulud/TanStack local and home protection recheck, npm
+batch, PR #1978 review/closure, Mini Shai-Hulud/TanStack local and home
-no-lifecycle install/audit/signature gates, AgentShield project scan,
+protection recheck, npm no-lifecycle install/audit/signature gates,
+AgentShield project scan, AgentShield `840952a` enterprise/IOC evidence mirror,
 work-items sync, Linear progress comments, operator dashboard refresh, and
-current-head Supply-Chain Watch, see
+current-head CI/security scan success for `99e01ded`, see
 [`publication-evidence-2026-05-18.md`](publication-evidence-2026-05-18.md).
 For the operator-facing prompt-to-artifact readiness dashboard from the same
 May 16 pass, see
@@ -88,23 +92,24 @@ Record the exact commit SHA and command output before any publication action:
 
 | Evidence | Command | Required result | Recorded output |
 | --- | --- | --- | --- |
-| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | Pending final strict clean-checkout release pass; `publication-evidence-2026-05-17.md` records current `main` with unrelated untracked `docs/drafts/` |
+| Clean release branch | `git status --short --branch` | On intended release commit; no unrelated files | `99e01ded`: `## main...origin/main`; repeat from the exact final publication commit before release |
-| Preview-pack smoke | `npm run preview-pack:smoke` | Preview pack artifacts, Hermes boundary, final verification command list, and publication blockers pass | `publication-evidence-2026-05-17.md`: ready yes, digest `dfb1ed014607`, 5 passed, 0 failed; repeat in a final strict clean-checkout release pass |
+| Preview-pack smoke | `npm run preview-pack:smoke` | Preview pack artifacts, Hermes boundary, final verification command list, and publication blockers pass | `publication-evidence-2026-05-18.md`: ready yes, digest `0ed831dbd0cf`, 5 passed, 0 failed; repeat in the final strict clean-checkout release pass |
-| Harness audit | `npm run harness:audit -- --format json` | 70/70 passing | `publication-evidence-2026-05-17.md`: 70/70 |
+| Harness audit | `npm run harness:audit -- --format json` | 70/70 passing | `99e01ded`: 70/70, 0 top actions |
-| Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `publication-evidence-2026-05-16.md`: PASS, 11 adapters |
+| Adapter scorecard | `npm run harness:adapters -- --check` | PASS | `99e01ded`: PASS, 11 adapters |
-| Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-17.md`: 21/21, ready yes |
+| Observability readiness | `npm run observability:ready` | 21/21 passing | `publication-evidence-2026-05-18.md`: 21/21, ready yes |
-| Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | `publication-evidence-2026-05-13-post-hardening.md`: Release Safety 3/3 |
+| Release safety gate | `npm run observability:ready -- --format json` | Release Safety category passing with publication readiness, supply-chain, workflow security, package surface, and release-surface evidence | May 18 evidence keeps release safety passing; repeat the JSON gate from the exact final release commit |
-| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, current-head Supply-Chain Watch passed |
+| Supply-chain verification | `npm audit --json`; `npm audit signatures`; `cd ecc2 && cargo audit -q`; Dependabot alerts; GitGuardian Security Checks | 0 vulnerabilities/alerts, registry signatures verified, GitGuardian clean | `publication-evidence-2026-05-18.md` plus CI `26040120071`: npm registry signatures and attestations verified, 0 high-or-higher npm vulnerabilities, repo/home IOC scans clean, supply-chain IOC scan passed |
-| Root suite | `node tests/run-all.js` | 0 failures | `publication-evidence-2026-05-17.md`: `npm test` passed 2487/2487, 0 failed |
+| Root suite | `node tests/run-all.js` | 0 failures | `99e01ded`: local `node tests/run-all.js` passed 2512/2512; CI `26040120071` passed the full OS/runtime/package-manager matrix |
-| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | `publication-evidence-2026-05-17.md`: passed after ja-JP autonomous-loop anchor repair |
+| Markdown lint | `npx markdownlint-cli '**/*.md' --ignore node_modules` | 0 failures | CI `26040120071`: markdownlint passed on current head; rerun after any release-copy edits |
 | Package surface | `node tests/scripts/npm-publish-surface.test.js` | 0 failures; no Python bytecode in npm tarball | `2/2` passed in May 12 evidence pass |
-| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | `publication-evidence-2026-05-16.md`: 20/20 passed |
+| Release surface | `node tests/docs/ecc2-release-surface.test.js` | 0 failures | `99e01ded`: 21/21 passed |
 | Optional Rust surface | `cd ecc2 && cargo test` | 0 failures or explicit deferral | `publication-evidence-2026-05-16.md`: 462/462 passed, existing warnings only |
-| Queue baseline | `gh pr list` / `gh issue list` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `publication-evidence-2026-05-17.md`: platform audit ready, 0 open PRs and 0 open issues across checked repos |
+| Queue baseline | `node scripts/platform-audit.js --json` across trunk, AgentShield, JARVIS, ECC Tools, and ECC website | Under 20 open PRs and under 20 open issues | `99e01ded`: platform audit ready, 0 open PRs, 0 open issues, 0 conflicting PRs, and 0 blocking dirty files |
-| Discussion baseline | `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `publication-evidence-2026-05-15.md`: 58 trunk discussions, 0 without maintainer touch; other tracked repos disabled or 0 |
+| Discussion baseline | `node scripts/platform-audit.js --json` and `node scripts/discussion-audit.js --json` | No unmanaged active discussion queue and no answerable Q&A missing an accepted answer | `99e01ded`: platform audit sampled 58 trunk discussions, 0 needing maintainer touch, 0 answerable discussions missing accepted answer |
-| Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | `publication-evidence-2026-05-15.md`: project and 16 issue lanes recorded |
+| Linear roadmap | Linear project and issue readback | Detailed roadmap exists with release, security, AgentShield, ECC Tools, legacy, and observability lanes | May 18 Linear comments include ITO-57 `f1c896d9-dd27-4ba2-b5a8-60afe5125c22`; earlier evidence records the project and 16 issue lanes |
-| Operator readiness dashboard | `npm run operator:dashboard -- --json --allow-untracked docs/drafts/` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `publication-evidence-2026-05-18.md`: generated from `3b7e0ba3`, platform ready true, dashboard ready true, 0 open PRs, 0 open issues, 0 discussion gaps; regenerated May 18 dashboard now also tracks the URL ledger |
+| Operator readiness dashboard | `npm run operator:dashboard -- --json` | Current queue state mapped to macro-goal deliverables and incomplete gaps | `99e01ded`: generated May 18 dashboard is committed, platform audit ready true, 0 open PRs, 0 open issues, 0 discussion gaps, and publication gates still approval-gated |
 | Release URL ledger | `docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-18.md` plus placeholder-marker scan | Live links and approval-gated links are separated before announcement copy is posted | Ledger records public repo/docs/CI/supply-chain/npm/OpenAI Codex documentation URLs and blocks GitHub release/npm/plugin/billing/social URLs until approval-gated checks pass |
+| Release name and plugin publication checklist | `docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md` | Name/package/plugin values are frozen, final-release commands are listed, and Claude/Codex publication paths cite current official docs | Checklist keeps `Everything Claude Code / ECC`, `ecc-universal`, and plugin slug `ecc` for rc.1; no rename, npm publish, plugin tag, official listing, billing claim, or announcement before final evidence |
 
 ## Do Not Publish If
 

docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md

@@ -0,0 +1,115 @@
+# ECC v2.0.0-rc.1 Release Name And Plugin Publication Checklist
+
+Snapshot date: 2026-05-18.
+
+This checklist is the operator gate for release naming, package publication,
+and Claude/Codex plugin distribution. It is not a publication action by itself.
+Run it from the exact release commit before creating tags, publishing npm,
+submitting marketplace forms, or posting announcements.
+
+## Fixed rc.1 Decision
+
+Ship `v2.0.0-rc.1` as **Everything Claude Code (ECC)**.
+
+- Keep the GitHub repo at `affaan-m/everything-claude-code`.
+- Keep the npm package as `ecc-universal`.
+- Keep Claude and Codex plugin slugs as `ecc`.
+- Publish the npm prerelease on the `next` dist-tag, not `latest`.
+- Do not rename to `affaan-m/ecc`, `ecc`, or `@affaan-m/ecc` before rc.1.
+
+Reasons:
+
+- `ecc-universal` is the current working install and package surface.
+- `ecc` on npm is occupied by an unrelated elliptic-curve package.
+- `@affaan-m/ecc` is unclaimed on npm, but would require a migration plan.
+- `affaan-m/ecc` is not available to the current GitHub auth context.
+- Claude and Codex already expose the desired short namespace as `ecc`.
+
+## Current Surface Evidence
+
+| Surface | Current value | Evidence command | 2026-05-18 result | Release action |
+| --- | --- | --- | --- | --- |
+| Git commit | `0e88e6a4ddf9968e55faa07f3ad8a03d3943b58c` | `git rev-parse HEAD` | Recorded from `main` | Re-run from final release commit |
+| GitHub repo | `affaan-m/everything-claude-code` | `git remote get-url origin` | `https://github.com/affaan-m/everything-claude-code.git` | Keep for rc.1 |
+| Possible short repo | `affaan-m/ecc` | `gh repo view affaan-m/ecc --json nameWithOwner,url,isPrivate` | GraphQL could not resolve repository | Do not depend on it for rc.1 |
+| npm package | `ecc-universal@2.0.0-rc.1` local, `1.10.0` registry latest | `node -p "require('./package.json').name + '@' + require('./package.json').version"` and `npm view ecc-universal name version dist-tags --json` | Local rc.1 ready; registry still latest `1.10.0` | Publish rc.1 with `--tag next` after approval |
+| Exact npm short name | `ecc` | `npm view ecc name version description repository.url --json` | Occupied by unrelated `ecc@0.0.2` | Do not use |
+| Scoped npm short name | `@affaan-m/ecc` | `npm view @affaan-m/ecc name version --json` | 404 | Candidate only after migration plan |
+| Claude plugin | `ecc@2.0.0-rc.1` | `claude plugin validate .claude-plugin/plugin.json` | Validation passed | Run dry-run tag, then tag/push only after approval |
+| Claude marketplace | `.claude-plugin/marketplace.json` | `claude plugin marketplace --help`; Anthropic plugin marketplace docs | GitHub, git URL, remote marketplace JSON, and local path marketplace sources are supported | Submit official listing through the current Anthropic forms only after final evidence |
+| Codex plugin | `ecc@2.0.0-rc.1` | `node tests/plugin-manifest.test.js`; `codex plugin marketplace add --help`; OpenAI Codex plugin docs | Repo marketplace and local marketplace roots are supported | Use repo marketplace for rc.1; official Plugin Directory is still pending |
+| OpenCode package | `ecc-universal@2.0.0-rc.1` | `node -p "require('./.opencode/package.json').name + '@' + require('./.opencode/package.json').version"` | Matches rc.1 package identity | Follow npm package publication |
+| Billing claim | Pending ECC Tools readiness | ECC Tools billing gate and Marketplace account readback | Code-side gate exists; live Marketplace account readback still pending | Do not announce native payments |
+
+## Required Gate
+
+Run these checks from the final release commit and paste the exact output into
+a fresh `publication-evidence-YYYY-MM-DD.md` file before release actions:
+
+```bash
+git status --short --branch
+git rev-parse HEAD
+git remote get-url origin
+npm view ecc name version description repository.url --json
+npm view @affaan-m/ecc name version --json
+npm view ecc-universal name version dist-tags --json
+node tests/plugin-manifest.test.js
+node tests/docs/ecc2-release-surface.test.js
+claude plugin validate .claude-plugin/plugin.json
+claude plugin tag .claude-plugin --dry-run
+codex plugin marketplace add --help
+HOME="$(mktemp -d)" codex plugin marketplace add ./
+HOME="$(mktemp -d)" codex plugin marketplace add affaan-m/everything-claude-code --ref "$(git rev-parse HEAD)"
+npm pack --dry-run --json
+npm publish --tag next --dry-run
+npm run build:opencode
+npm run preview-pack:smoke
+```
+
+If a command is unavailable on the release machine, record the exact error and
+keep the related publication action blocked.
+
+## Publication Order
+
+| Step | Action | Required evidence | Stop condition |
+| --- | --- | --- | --- |
+| 1 | Freeze name and version | Package, Claude plugin, Codex plugin, OpenCode package, `VERSION`, and release docs all say `2.0.0-rc.1` | Any `preview`/`rc.1` mismatch |
+| 2 | Verify clean release branch | `git status --short --branch` shows only the intended release commit and no unrelated drift | Any unexplained dirty file |
+| 3 | Verify package and plugin manifests | `node tests/plugin-manifest.test.js` and `node tests/docs/ecc2-release-surface.test.js` pass | Manifest or release-surface failure |
+| 4 | Dry-run package surface | `npm pack --dry-run --json`; `npm publish --tag next --dry-run` | Missing files, wrong dist-tag, or publish dry-run failure |
+| 5 | Dry-run Claude distribution | `claude plugin validate`; `claude plugin tag .claude-plugin --dry-run`; temp install smoke | Validation, tag, or install-smoke failure |
+| 6 | Verify Codex repo marketplace | `codex plugin marketplace add --help`; temp-home repo marketplace add smoke; OpenAI official directory status recorded | Missing repo marketplace or unverified official-directory status |
+| 7 | Verify OpenCode package | `npm run build:opencode` | Build failure |
+| 8 | Regenerate release URL ledger | Live and approval-gated URLs separated in `release-url-ledger-YYYY-MM-DD.md` | Placeholder, private URL, or announcement URL drift |
+| 9 | Create GitHub prerelease | `gh release view v2.0.0-rc.1 --json tagName,url,isPrerelease` | Missing URL or wrong prerelease flag |
+| 10 | Publish npm rc | `npm view ecc-universal version dist-tags --json` shows rc.1 on `next` | rc.1 lands on `latest` or registry output is unclear |
+| 11 | Publish/plugin-submit | Claude official submission and Codex repo marketplace evidence recorded | Form not submitted, listing not visible, or docs status changed |
+| 12 | Announce | X, LinkedIn, GitHub release, and longform copy use final live URLs | Any final URL is still pending |
+
+## Do Not Proceed
+
+- Do not publish npm before `npm pack --dry-run --json` is captured from the
+  final release commit.
+- Do not create or push Claude plugin tags before `claude plugin tag
+  .claude-plugin --dry-run` passes from the final release commit.
+- Do not claim Codex official Plugin Directory availability unless OpenAI docs
+  no longer say official public plugin publishing is pending.
+- Do not announce billing, Marketplace, or native payments until ECC Tools live
+  Marketplace account readback returns ready.
+- Do not rename the repo or package until rc.1 is published and a migration
+  guide maps old names to new names.
+- Do not post social copy while any release, npm, plugin, or billing URL is
+  still approval-gated.
+
+## External Distribution Sources
+
+- Anthropic Claude Code plugin docs: `https://code.claude.com/docs/en/plugins`
+- Anthropic Claude Code marketplace docs:
+  `https://code.claude.com/docs/en/plugin-marketplaces`
+- OpenAI Codex plugin docs:
+  `https://developers.openai.com/codex/plugins/build#add-a-marketplace-from-the-cli`
+
+As of this snapshot, Anthropic documents official marketplace submission through
+Claude.ai and Console forms. OpenAI documents repo/local marketplace
+distribution for Codex and says official public Plugin Directory publishing and
+self-serve plugin management are coming soon.

docs/stale-pr-salvage-ledger.md

@@ -108,6 +108,24 @@ porting.
 | #1682/#1701 | Strategic compact hook-path fixes were merged directly or superseded by current docs fixes. |
 | JARVIS #4/#5/#6 | Stale failing dependency-only PRs; future dependency state should be regenerated by Dependabot. |
 
+## 2026-05-18 Owner-Wide Queue Cleanup
+
+The ECC release repos were already clean, but an owner-wide `gh search` sweep
+found stale queues in older public/private projects. The cleanup closed 24
+stale dependency-bot PRs and 72 stale legacy payments/0EM roadmap issues,
+then closed the final 9 stale/generated/conflicting/test PRs and 5
+legacy/outreach/placeholder issues. The `affaan-m` owner namespace is now at 0
+open PRs and 0 open issues by live `gh search`. The detailed before/after
+evidence and final queue disposition are recorded in
+`docs/releases/2.0.0-rc.1/owner-queue-cleanup-2026-05-18.md`.
+
+| Scope | Disposition |
+| --- | --- |
+| Dependabot PRs in `stoictradingAI`, `Behavioral_RL`, `dprc-autotrader-v2`, `x-algorithm-score`, `polycule-secure`, and `pragmAItism_defAInce` | Skipped as stale generated dependency bumps; regenerate from current base if still needed. |
+| Legacy issues in `payments0-api`, `payments0-sdk`, `agent-payments-gateway`, `0EM_Frontend`, `0em-payments-dashboard`, and `yield-optimizer` | Superseded by ECC Tools native-payments, hosted analysis, billing-readback, and Linear/project roadmap lanes. |
+| Archived repos touched for PR closure | `stoictradingAI`, `dprc-autotrader-v2`, `polycule-secure`, and `pragmAItism_defAInce` were restored to archived state after stale PR closure. |
+| Final PR/issue sweep | Closed the remaining generated ECC bundles, stale Cloudflare rename PRs, stale README-card PR, test/noise PR, public outreach issues, and empty placeholder issue. Preserved `dexploy#25` findings in Linear `ITO-62` before closure. |
+
 ## Skipped
 
 | Source PR | Reason |

docs/zh-CN/AGENTS.md

@@ -1,6 +1,6 @@
 # Everything Claude Code (ECC) — 智能体指令
 
-这是一个**生产就绪的 AI 编码插件**，提供 60 个专业代理、231 项技能、75 条命令以及自动化钩子工作流，用于软件开发。
+这是一个**生产就绪的 AI 编码插件**，提供 60 个专业代理、232 项技能、75 条命令以及自动化钩子工作流，用于软件开发。
 
 **版本:** 2.0.0-rc.1
 
@@ -147,7 +147,7 @@
 
 ```
 agents/          — 60 个专业子代理
-skills/          — 231 个工作流技能和领域知识
+skills/          — 232 个工作流技能和领域知识
 commands/        — 75 个斜杠命令
 hooks/           — 基于触发的自动化
 rules/           — 始终遵循的指导方针（通用 + 每种语言）

docs/zh-CN/README.md

@@ -224,7 +224,7 @@ Copy-Item -Recurse rules/typescript "$HOME/.claude/rules/"
 /plugin list ecc@ecc
 ```
 
-**搞定！** 你现在可以使用 60 个智能体、231 项技能和 75 个命令了。
+**搞定！** 你现在可以使用 60 个智能体、232 项技能和 75 个命令了。
 
 ***
 
@@ -1138,7 +1138,7 @@ opencode
 |---------|-------------|----------|--------|
 | 智能体 | PASS: 60 个 | PASS: 12 个 | **Claude Code 领先** |
 | 命令 | PASS: 75 个 | PASS: 35 个 | **Claude Code 领先** |
-| 技能 | PASS: 231 项 | PASS: 37 项 | **Claude Code 领先** |
+| 技能 | PASS: 232 项 | PASS: 37 项 | **Claude Code 领先** |
 | 钩子 | PASS: 8 种事件类型 | PASS: 11 种事件 | **OpenCode 更多！** |
 | 规则 | PASS: 29 条 | PASS: 13 条指令 | **Claude Code 领先** |
 | MCP 服务器 | PASS: 14 个 | PASS: 完整 | **完全对等** |
@@ -1246,7 +1246,7 @@ ECC 是**第一个最大化利用每个主要 AI 编码工具的插件**。以
 |---------|------------|------------|-----------|----------|
 | **智能体** | 60 | 共享 (AGENTS.md) | 共享 (AGENTS.md) | 12 |
 | **命令** | 75 | 共享 | 基于指令 | 35 |
-| **技能** | 231 | 共享 | 10 (原生格式) | 37 |
+| **技能** | 232 | 共享 | 10 (原生格式) | 37 |
 | **钩子事件** | 8 种类型 | 15 种类型 | 暂无 | 11 种类型 |
 | **钩子脚本** | 20+ 个脚本 | 16 个脚本 (DRY 适配器) | N/A | 插件钩子 |
 | **规则** | 34 (通用 + 语言) | 34 (YAML 前页) | 基于指令 | 13 条指令 |

eslint.config.js

@@ -3,7 +3,7 @@ const globals = require('globals');
 
 module.exports = [
     {
-        ignores: ['.opencode/dist/**', '.cursor/**', 'node_modules/**']
+        ignores: ['.opencode/dist/**', '.cursor/**', 'node_modules/**', '.venv/**', 'venv/**', 'coverage/**']
     },
     js.configs.recommended,
     {

manifests/install-modules.json

@@ -449,6 +449,7 @@
       "kind": "skills",
       "description": "Media generation, technical explainers, and AI-assisted editing skills.",
       "paths": [
+        "skills/blender-motion-state-inspection",
         "skills/fal-ai-media",
         "skills/manim-video",
         "skills/remotion-video-creation",

package.json

@@ -122,6 +122,7 @@
     "skills/automation-audit-ops/",
     "skills/autonomous-loops/",
     "skills/backend-patterns/",
+    "skills/blender-motion-state-inspection/",
     "skills/blueprint/",
     "skills/brand-voice/",
     "skills/carrier-relationship-management/",

scripts/ci/scan-supply-chain-iocs.js

@@ -580,12 +580,51 @@ function addFinding(findings, severity, filePath, line, indicator, message) {
   findings.push({ severity, filePath, line, indicator, message });
 }
 
+function isClaudeSettingsFile(filePath) {
+  const normalized = normalizedPath(filePath);
+  return /\/\.claude\/settings(?:\.local)?\.json$/.test(normalized);
+}
+
+function claudePermissionDenyRanges(filePath, text) {
+  if (!isClaudeSettingsFile(filePath)) return [];
+
+  let parsed;
+  try {
+    parsed = JSON.parse(text);
+  } catch {
+    return [];
+  }
+
+  const denyEntries = parsed?.permissions?.deny;
+  if (!Array.isArray(denyEntries)) return [];
+
+  const ranges = [];
+  for (const entry of denyEntries) {
+    if (typeof entry !== 'string' || entry.length === 0) continue;
+
+    for (const needle of [...new Set([JSON.stringify(entry), entry])]) {
+      let index = text.indexOf(needle);
+      while (index !== -1) {
+        ranges.push([index, index + needle.length]);
+        index = text.indexOf(needle, index + needle.length);
+      }
+    }
+  }
+
+  return ranges;
+}
+
+function indexInRanges(index, ranges) {
+  return ranges.some(([start, end]) => index >= start && index < end);
+}
+
 function scanFile(filePath, rootDir, findings) {
   const base = path.basename(filePath);
   const relativePath = path.relative(rootDir, filePath) || filePath;
   const text = readText(filePath);
   const lowerText = normalizeForMatch(text);
   const hashFinding = MALICIOUS_FILE_HASHES[sha256File(filePath)];
+  const defensiveClaudeDenyRanges = claudePermissionDenyRanges(filePath, text);
 
   if (hashFinding) {
     addFinding(
@@ -621,8 +660,10 @@ function scanFile(filePath, rootDir, findings) {
   }
 
   for (const indicator of CRITICAL_TEXT_INDICATORS) {
-    const index = lowerText.indexOf(normalizeForMatch(indicator));
+    const normalizedIndicator = normalizeForMatch(indicator);
-    if (index !== -1) {
+    let index = lowerText.indexOf(normalizedIndicator);
+    while (index !== -1) {
+      if (!indexInRanges(index, defensiveClaudeDenyRanges)) {
         addFinding(
           findings,
           'critical',
@@ -631,6 +672,10 @@ function scanFile(filePath, rootDir, findings) {
           indicator,
           'Known active supply-chain IOC is present',
         );
+        break;
+      }
+
+      index = lowerText.indexOf(normalizedIndicator, index + normalizedIndicator.length);
     }
   }
 

scripts/operator-readiness-dashboard.js

@@ -335,13 +335,28 @@ function agentShieldEnterpriseGap(roadmap) {
 function agentShieldEnterpriseEvidence(roadmap) {
   if (roadmap.includes('hosted promotion judge audit traces')
     || roadmap.includes('operator-visible promotion output values')) {
-    return 'AgentShield policy promotion `reviewItems` landed in `87aec47`; package-manager hardening drift detection landed in `28d08c7`; workflow action runtime pins were refreshed in `659f569`; npm age-gate guidance was corrected in `ee585cd`; package-manager hardening Action outputs landed in `1124535`; policy-promotion Action outputs and runtime-smoke job-summary evidence landed in `1593925`; ECC-Tools consumes those outputs in `8658951`, surfaces operator-readable status/pack/count/digest telemetry in `16c537f`, and renders hosted promotion judge audit traces in `05d4e82`; all are mirrored in the GA roadmap';
+    return 'AgentShield policy promotion `reviewItems` landed in `87aec47`; package-manager hardening drift detection landed in `28d08c7`; workflow action runtime pins were refreshed in `659f569`; npm age-gate guidance was corrected in `ee585cd`; package-manager hardening Action outputs landed in `1124535`; policy-promotion Action outputs and runtime-smoke job-summary evidence landed in `1593925`; fleet review ticket payloads and current Mini Shai-Hulud IOC breadcrumbs landed in `840952a`; ECC-Tools consumes those outputs in `8658951`, surfaces operator-readable status/pack/count/digest telemetry in `16c537f`, and renders hosted promotion judge audit traces in `05d4e82`; all are mirrored in the GA roadmap';
   }
 
   return 'AgentShield enterprise PR evidence is mirrored in the GA roadmap';
 }
 
 function eccToolsNextLevelEvidence(roadmap) {
+  if (roadmap.includes('d5f60db')
+    || roadmap.includes('Marketplace-source provenance counts')) {
+    return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, Wrangler OAuth readback, target-account billing readback, provenance-aware Marketplace billing-state gates, and sanitized Marketplace plan/action provenance counts are mirrored in the GA roadmap';
+  }
+
+  if (roadmap.includes('target account billing readback')
+    || roadmap.includes('632e059')) {
+    return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, Wrangler OAuth readback, target-account billing readback, and provenance-aware Marketplace billing-state gates are mirrored in the GA roadmap';
+  }
+
+  if (roadmap.includes('Wrangler OAuth readback')
+    || roadmap.includes('42653f9')) {
+    return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, Wrangler OAuth readback, and provenance-aware Marketplace billing-state gates are mirrored in the GA roadmap';
+  }
+
   if (roadmap.includes('Marketplace webhook provenance')
     || roadmap.includes('2859678')) {
     return 'billing announcement gate, hosted analysis lanes, AgentShield fleet-summary consumption, hosted finding evidence paths, harness-route policy linking, policy-promotion Action-output telemetry, operator-visible promotion output details, hosted promotion judge audit traces, billing announcement preflight, aggregate production billing KV readback, and provenance-aware Marketplace billing-state gates are mirrored in the GA roadmap';
@@ -366,6 +381,21 @@ function eccToolsNextLevelEvidence(roadmap) {
 }
 
 function eccToolsNextLevelGap(roadmap) {
+  if (roadmap.includes('d5f60db')
+    || roadmap.includes('Marketplace-source provenance counts')) {
+    return 'create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate';
+  }
+
+  if (roadmap.includes('target account billing readback')
+    || roadmap.includes('632e059')) {
+    return 'create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --account <github-login> --require-ready` with working Cloudflare API auth or repaired Wrangler OAuth, followed by the live announcement gate';
+  }
+
+  if (roadmap.includes('Wrangler OAuth readback')
+    || roadmap.includes('42653f9')) {
+    return 'create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` with working Cloudflare API auth or repaired Wrangler OAuth, followed by the live announcement gate';
+  }
+
   if (roadmap.includes('Marketplace webhook provenance')
     || roadmap.includes('2859678')) {
     return 'replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` and the live announcement gate';
@@ -482,6 +512,17 @@ function buildRequirement(id, requirement, artifact, status, evidence, gap) {
   return { id, requirement, artifact, status, evidence, gap };
 }
 
+function extractLabeledCount(text, label) {
+  const pattern = new RegExp(`${label.replace(/[.*+?^${}()|[\]\\]/g, '\\$&')}:\\s*(\\d+)`, 'i');
+  const match = text.match(pattern);
+  if (!match) {
+    return null;
+  }
+
+  const parsed = Number.parseInt(match[1], 10);
+  return Number.isFinite(parsed) ? parsed : null;
+}
+
 function isCurrentOrComplete(status) {
   return status === 'current' || status === 'complete';
 }
@@ -490,7 +531,9 @@ function buildRequirements(rootDir, platformReport) {
   const roadmap = readText(rootDir, 'docs/ECC-2.0-GA-ROADMAP.md');
   const publicationReadiness = readText(rootDir, 'docs/releases/2.0.0-rc.1/publication-readiness.md');
   const namingMatrix = readText(rootDir, 'docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md');
+  const releasePublicationChecklist = readText(rootDir, 'docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md');
   const releaseUrlLedger = readText(rootDir, 'docs/releases/2.0.0-rc.1/release-url-ledger-2026-05-18.md');
+  const ownerQueueCleanup = readText(rootDir, 'docs/releases/2.0.0-rc.1/owner-queue-cleanup-2026-05-18.md');
   const previewManifest = readText(rootDir, 'docs/releases/2.0.0-rc.1/preview-pack-manifest.md');
   const previewPackSmoke = readText(rootDir, 'scripts/preview-pack-smoke.js');
   const progressSync = readText(rootDir, 'docs/architecture/progress-sync-contract.md');
@@ -520,9 +563,22 @@ function buildRequirements(rootDir, platformReport) {
     && fileExists(rootDir, 'skills/hermes-imports/SKILL.md');
 
   const githubLive = !platformReport.github.skipped && platformReport.github.totals.errors === 0;
-  const queuesCurrent = githubLive
+  const ownerWideOpenPrs = extractLabeledCount(ownerQueueCleanup, 'Owner-wide open PRs after cleanup');
-    && platformReport.github.totals.openPrs <= platformReport.thresholds.maxOpenPrs
+  const ownerWideOpenIssues = extractLabeledCount(ownerQueueCleanup, 'Owner-wide open issues after cleanup');
+  const trackedPrQueueCurrent = githubLive
+    && platformReport.github.totals.openPrs <= platformReport.thresholds.maxOpenPrs;
+  const trackedIssueQueueCurrent = githubLive
     && platformReport.github.totals.openIssues <= platformReport.thresholds.maxOpenIssues;
+  const ownerPrQueueCurrent = ownerWideOpenPrs === null
+    || ownerWideOpenPrs <= platformReport.thresholds.maxOpenPrs;
+  const ownerIssueQueueCurrent = ownerWideOpenIssues === null
+    || ownerWideOpenIssues <= platformReport.thresholds.maxOpenIssues;
+  const ownerPrEvidence = ownerWideOpenPrs === null
+    ? ''
+    : `; ${ownerWideOpenPrs} owner-wide open PRs after cleanup`;
+  const ownerIssueEvidence = ownerWideOpenIssues === null
+    ? ''
+    : `; ${ownerWideOpenIssues} owner-wide open issues after cleanup`;
   const discussionsCurrent = githubLive
     && platformReport.github.totals.discussionsNeedingMaintainerTouch === 0
     && platformReport.github.totals.discussionsMissingAcceptedAnswer === 0;
@@ -531,22 +587,30 @@ function buildRequirements(rootDir, platformReport) {
     buildRequirement(
       'public-pr-budget',
       'Keep public PRs below 20',
-      'scripts/platform-audit.js live GitHub sweep',
+      ownerWideOpenPrs === null
-      queuesCurrent ? 'current' : 'in_progress',
+        ? 'scripts/platform-audit.js live GitHub sweep'
+        : 'scripts/platform-audit.js live GitHub sweep plus owner-wide queue cleanup ledger',
+      trackedPrQueueCurrent && ownerPrQueueCurrent ? 'current' : 'in_progress',
       githubLive
-        ? `${platformReport.github.totals.openPrs} open PRs across ${platformReport.github.repos.length} tracked repos`
+        ? `${platformReport.github.totals.openPrs} open PRs across ${platformReport.github.repos.length} tracked repos${ownerPrEvidence}`
         : 'live GitHub queue readback was skipped or failed',
-      queuesCurrent ? 'repeat before release' : 'run live platform:audit and drain PR queue'
+      trackedPrQueueCurrent && ownerPrQueueCurrent
+        ? 'repeat platform:audit and owner-wide gh search before release'
+        : 'run live platform:audit and owner-wide gh search, then drain PR queue'
     ),
     buildRequirement(
       'public-issue-budget',
       'Keep public issues below 20',
-      'scripts/platform-audit.js live GitHub sweep',
+      ownerWideOpenIssues === null
-      queuesCurrent ? 'current' : 'in_progress',
+        ? 'scripts/platform-audit.js live GitHub sweep'
+        : 'scripts/platform-audit.js live GitHub sweep plus owner-wide queue cleanup ledger',
+      trackedIssueQueueCurrent && ownerIssueQueueCurrent ? 'current' : 'in_progress',
       githubLive
-        ? `${platformReport.github.totals.openIssues} open issues across ${platformReport.github.repos.length} tracked repos`
+        ? `${platformReport.github.totals.openIssues} open issues across ${platformReport.github.repos.length} tracked repos${ownerIssueEvidence}`
         : 'live GitHub queue readback was skipped or failed',
-      queuesCurrent ? 'repeat before release' : 'run live platform:audit and drain issue queue'
+      trackedIssueQueueCurrent && ownerIssueQueueCurrent
+        ? 'repeat platform:audit and owner-wide gh search before release'
+        : 'run live platform:audit and owner-wide gh search, then drain issue queue'
     ),
     buildRequirement(
       'repository-discussions',
@@ -602,12 +666,19 @@ function buildRequirements(rootDir, platformReport) {
     buildRequirement(
       'naming-and-plugin-publication',
       'Prepare name-change, Claude plugin, and Codex plugin paths',
-      'naming-and-publication-matrix plus publication-readiness',
+      'naming-and-publication-matrix plus release-name-plugin-publication checklist plus publication-readiness',
       includesAll(namingMatrix, ['Claude plugin', 'Codex plugin', 'npm package', 'Publication Paths'])
+        && includesAll(releasePublicationChecklist, [
+          'Everything Claude Code (ECC)',
+          'ecc-universal',
+          'claude plugin tag .claude-plugin --dry-run',
+          'codex plugin marketplace add',
+          'Do not rename the repo or package until rc.1 is published'
+        ])
         && includesAll(publicationReadiness, ['Claude plugin', 'Codex plugin'])
         ? 'in_progress'
         : 'not_complete',
-      'naming matrix and plugin readiness gates exist',
+      'naming matrix, release publication checklist, and plugin readiness gates exist',
       'real tag/push, marketplace submission, and final channel choice remain approval-gated'
     ),
     buildRequirement(
@@ -740,7 +811,7 @@ function buildReport(options) {
     next_work_order: [
       'Regenerate this dashboard from the final release commit before publication evidence is recorded.',
       'Repeat ITO-57 Linear/project status sync after the next significant merge batch or advisory-source refresh.',
-      'Replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` and the live announcement gate before publishing native-payments copy.',
+      'Create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`, followed by the live announcement gate before publishing native-payments copy.',
       'Resume ITO-45, ITO-46, and ITO-56 only after the generated dashboard and final release gates are refreshed.',
     ],
   };

scripts/preview-pack-smoke.js

@@ -30,6 +30,7 @@ const REQUIRED_ARTIFACTS = [
   `${RELEASE_DIR}/operator-readiness-dashboard-2026-05-18.md`,
   `${RELEASE_DIR}/release-url-ledger-2026-05-18.md`,
   `${RELEASE_DIR}/naming-and-publication-matrix.md`,
+  `${RELEASE_DIR}/release-name-plugin-publication-checklist-2026-05-18.md`,
   `${RELEASE_DIR}/x-thread.md`,
   `${RELEASE_DIR}/linkedin-post.md`,
   `${RELEASE_DIR}/article-outline.md`,
@@ -39,7 +40,7 @@ const REQUIRED_ARTIFACTS = [
 
 const REQUIRED_VERIFICATION_COMMANDS = [
   'git status --short --branch',
-  'node scripts/platform-audit.js --format json --allow-untracked docs/drafts/',
+  'node scripts/platform-audit.js --json',
   'npm run preview-pack:smoke',
   'npm run harness:adapters -- --check',
   'npm run harness:audit -- --format json',

skills/blender-motion-state-inspection/SKILL.md

@@ -0,0 +1,164 @@
+---
+name: blender-motion-state-inspection
+description: Use this skill when inspecting Blender characters, rigs, poses, animation retargeting, ground contact, facing direction, or model-vs-motion alignment where screenshots alone are not enough.
+origin: ECC
+tools: Read, Write, Edit, Bash, Grep, Glob
+---
+
+# Blender Motion State Inspection
+
+## When to Use
+
+- A Blender character looks twisted, mirrored, flattened, offset, or foot-sliding in an animation.
+- A user asks whether an imported avatar, armature, or retargeted motion matches an expected pose.
+- You need to compare rendered evidence with structured facts such as bones, bounding boxes, contacts, and facing vectors.
+- A workflow depends on deciding whether a model is a character, prop, proxy mesh, control rig, or broken import.
+
+## Core Principle
+
+Do not judge animated 3D assets only from screenshots. Screenshots are review evidence, but they hide axis conventions, bone names, object scale, local transforms, parented meshes, material slots, and frame-by-frame contact state.
+
+First extract structured Blender state, then use viewport screenshots or renders to confirm what the facts imply.
+
+## How It Works
+
+1. Establish the clean scene and asset baseline before judging motion.
+2. Extract structured facts from Blender using an exporter or Blender Python run inside Blender's own interpreter.
+3. Sample the frames most likely to expose contact, orientation, scale, and retargeting errors.
+4. Compare the measured facts against the user's expected pose, direction, ground plane, and render goal.
+5. Return a concise report that separates confirmed facts, likely causes, and required fixes.
+
+## Inspection Workflow
+
+1. Inventory the scene.
+   - List meshes, armatures, empties, cameras, lights, modifiers, parent relationships, and hidden objects.
+   - Separate character meshes from helper/proxy geometry before judging the avatar.
+   - Record object-space and world-space bounding boxes.
+
+2. Identify the skeleton.
+   - Capture armature names, pose bones, bone heads/tails, roll, parent chains, constraints, and rest-pose axes.
+   - Map semantic bones such as hips, spine, neck, head, shoulders, elbows, hands, thighs, knees, ankles, and feet.
+   - Flag missing left/right pairs and unusual naming schemes.
+
+3. Determine forward, up, and side axes.
+   - Use the pelvis, spine, shoulders, hips, head, and feet together; do not rely on a single mesh normal.
+   - Compare local armature axes with world axes and imported file conventions such as glTF Y-up vs Blender Z-up.
+   - Mark likely mirrored or backwards imports when face/head/feet direction conflicts with root motion.
+
+4. Sample animation frames.
+   - Inspect first, middle, contact, airborne, and extreme frames.
+   - Record root location, root heading, pelvis height, torso lean, limb directions, foot clearance, and mesh bounds.
+   - For long or fast motion, sample more densely around flips, landings, turns, collisions, and floor contacts.
+
+5. Check model integrity before retargeting blame.
+   - Confirm the clean baseline shape before applying animation.
+   - Preserve original mesh, materials, armature, and skinning unless the user explicitly asks for repair.
+   - Treat unexplained sphere-like blobs, giant proxy meshes, or crushed bodies as import/selection issues until proven otherwise.
+
+6. Diagnose contact and motion issues.
+   - Ground penetration: compare lowest foot or shoe vertices with floor height per frame.
+   - Foot sliding: compare foot world positions across planted frames.
+   - Leg crossover: compare left/right thigh, knee, ankle, and foot side ordering.
+   - Twist damage: compare bone swing direction separately from roll/twist around the limb axis.
+   - Scale drift: compare animated mesh bounds against the clean baseline bounds.
+
+7. Report facts before opinions.
+   - Include frame numbers, object names, bone names, world coordinates, and thresholds.
+   - Separate confirmed failures from visual suspicions.
+   - Attach screenshots only after the structured state explains what to look for.
+
+## Recommended Report Shape
+
+```markdown
+## Blender Motion Inspection
+
+### Scene Inventory
+- Character candidates:
+- Armatures:
+- Helper/proxy objects:
+- Cameras/lights:
+
+### Orientation
+- World up:
+- Character forward:
+- Root heading:
+- Mirrored/backwards risk:
+
+### Baseline Integrity
+- Clean mesh bounds:
+- Animated mesh bounds:
+- Materials/skin preserved:
+- Suspicious non-character meshes:
+
+### Frame Findings
+| Frame | Finding | Evidence |
+| --- | --- | --- |
+| 1 | Clean baseline pose | hips/spine/feet aligned |
+| 96 | Foot penetrates floor | left_foot min_z = -0.04 |
+
+### Verdict
+- Pass/fail:
+- Required fix:
+- Render readiness:
+```
+
+## Examples
+
+### Walk Cycle With Foot Sliding
+
+Scenario: a retargeted character appears to skate during a walk cycle, but the front camera angle makes the foot contact hard to judge.
+
+Apply the workflow:
+- Inventory the scene: character mesh `HeroBody`, armature `HeroRig`, ground plane `Floor`, no hidden proxy meshes.
+- Identify the skeleton: semantic feet are `foot.L` and `foot.R`; hips are `pelvis`; root bone is `root`.
+- Sample animation frames: inspect frames 1, 18, 24, 30, 42, and 48 around planted-foot moments.
+- Diagnose contact and motion issues: compare world-space foot locations during planted frames.
+
+Extracted facts:
+
+| Frame | Fact | Evidence |
+| --- | --- | --- |
+| 18 | Left foot is planted | `foot.L min_z = 0.004`, toe and heel both near floor |
+| 24 | Left foot slides while planted | `foot.L x = 0.21 -> 0.28` over six frames |
+| 30 | Pelvis keeps moving forward | `pelvis y = 1.14 -> 1.31` |
+
+Verdict: fail for render readiness. The motion needs foot-lock cleanup or retargeting constraint review; the body mesh does not need proportion changes.
+
+### Backwards Imported Character
+
+Scenario: a character looks correct in a still frame, but the animation moves opposite the expected travel direction.
+
+Apply the workflow:
+- Determine forward, up, and side axes: compare head, chest, feet, and root motion.
+- Sample animation frames: inspect frame 1 and the midpoint of the travel path.
+- Report facts before opinions: include the root heading and model-facing direction separately.
+
+Extracted facts:
+
+| Frame | Fact | Evidence |
+| --- | --- | --- |
+| 1 | Character face points toward world `-Y` | head/chest vector from `neck` to `head` resolves to `-Y` |
+| 72 | Root motion travels toward world `+Y` | `root y = 0.0 -> 2.8` |
+| 72 | Feet remain visually forward-facing opposite travel | toe bones point `-Y` while displacement is `+Y` |
+
+Verdict: likely backwards import or retargeting forward-axis mismatch. Fix the import/retarget axis mapping before editing animation curves.
+
+## Practical Thresholds
+
+- Assume Blender's default meter-scale units unless the scene unit scale says otherwise.
+- Treat ground penetration above 1-2 cm as visible unless the floor is soft or intentionally stylized.
+- Treat a sudden scale change above 5% as a likely rig, constraint, or transform inheritance problem.
+- Treat left/right ankle side-order flips during airborne inverted motion as leg crossover risk even if it recovers later.
+- Treat root heading jumps above 30 degrees per frame as suspicious unless the source motion includes a snap turn.
+
+## Anti-Patterns
+
+- Do not modify body proportions to force pose matching unless the task is explicitly mesh repair.
+- Do not bake away the clean baseline before recording it.
+- Do not use one rendered camera angle as proof that a pose is correct.
+- Do not delete helper objects until you have recorded why they are not part of the character.
+- Do not assume an avatar faces +Y, -Y, +X, or -X without checking head, feet, torso, and root motion together.
+
+## Tooling Notes
+
+If a Blender state exporter is available, prefer JSON that includes meshes, armatures, pose bones, materials, contacts, bounding boxes, and sampled animation frames. If no exporter exists, run a small Blender Python script through Blender itself, for example `blender --background scene.blend --python collect_motion_state.py`, because `bpy` is not available in a normal system Python interpreter.

tests/ci/scan-supply-chain-iocs.test.js

@@ -251,6 +251,45 @@ function run() {
     });
   })) passed++; else failed++;
 
+  if (test('ignores explicit Claude Code deny-wall IOC entries', () => {
+    withFixture({
+      'home/.claude/settings.local.json': JSON.stringify({
+        permissions: {
+          deny: [
+            'Bash(*filev2.getsession.org*)',
+            'Bash(*router_runtime.js*)',
+            'Bash(*gh-token-monitor*)',
+          ],
+        },
+      }, null, 2),
+    }, rootDir => {
+      const homeDir = path.join(rootDir, 'home');
+      const result = scanSupplyChainIocs({ rootDir, home: true, homeDir });
+      assert.deepStrictEqual(result.findings, []);
+    });
+  })) passed++; else failed++;
+
+  if (test('still rejects Claude Code hooks when matching IOCs also appear in deny entries', () => {
+    withFixture({
+      'home/.claude/settings.local.json': JSON.stringify({
+        permissions: {
+          deny: [
+            'Bash(*router_runtime.js*)',
+          ],
+        },
+        hooks: {
+          PostToolUse: [{
+            hooks: [{ command: 'node ~/.claude/router_runtime.js' }],
+          }],
+        },
+      }, null, 2),
+    }, rootDir => {
+      const homeDir = path.join(rootDir, 'home');
+      const result = scanSupplyChainIocs({ rootDir, home: true, homeDir });
+      assert.ok(result.findings.some(finding => finding.indicator === 'router_runtime.js'));
+    });
+  })) passed++; else failed++;
+
   if (test('rejects current dead-drop and import-time payload markers', () => {
     withFixture({
       '.vscode/tasks.json': JSON.stringify({

tests/docs/ecc2-release-surface.test.js

@@ -52,6 +52,7 @@ const expectedReleaseFiles = [
   'quickstart.md',
   'preview-pack-manifest.md',
   'publication-readiness.md',
+  'release-name-plugin-publication-checklist-2026-05-18.md',
 ];
 
 test('release candidate directory includes the public launch pack', () => {
@@ -174,6 +175,7 @@ test('preview pack manifest assembles release, Hermes, and publication gates', (
     'scripts/preview-pack-smoke.js',
     'docs/releases/2.0.0-rc.1/publication-readiness.md',
     'docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md',
+    'docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md',
   ]) {
     assert.ok(manifest.includes(artifact), `preview pack manifest missing ${artifact}`);
   }
@@ -288,13 +290,52 @@ test('publication readiness checklist gates public release actions on evidence',
   assert.ok(may15Evidence.includes('announcementGate.ready === true'));
   assert.ok(source.includes('ECC-Tools #73 added announcementGate'));
   assert.ok(source.includes('official Plugin Directory publishing and self-serve management are documented as coming soon'));
+  assert.ok(source.includes('release-name-plugin-publication-checklist-2026-05-18.md'));
+  assert.ok(source.includes('Release name and plugin publication checklist'));
   assert.ok(may15Evidence.includes('| Trunk discussions | GraphQL discussion count and maintainer-touch sweep | 58 total discussions;'));
-  assert.ok(source.includes('58 trunk discussions, 0 without maintainer touch'));
+  assert.ok(source.includes('platform audit sampled 58 trunk discussions'));
+  assert.ok(source.includes('0 needing maintainer touch'));
   assert.ok(may15Evidence.includes('env -u GITHUB_TOKEN'));
   assert.ok(may15Evidence.includes('ITO-44'));
   assert.ok(may15Evidence.includes('0 open PRs, 0 open issues'));
 });
 
+test('release name and plugin publication checklist freezes rc.1 surfaces', () => {
+  const checklist = read(
+    'docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md'
+  );
+  const launchChecklist = read('docs/releases/2.0.0-rc.1/launch-checklist.md');
+  const referenceArchitecture = read('docs/ECC-2.0-REFERENCE-ARCHITECTURE.md');
+
+  for (const value of [
+    'Everything Claude Code (ECC)',
+    '`affaan-m/everything-claude-code`',
+    '`ecc-universal`',
+    '`ecc` on npm is occupied',
+    '`@affaan-m/ecc` is unclaimed on npm',
+    'Claude plugin',
+    'Codex plugin',
+    'self-serve plugin management are coming soon',
+    'Do not rename the repo or package until rc.1 is published',
+    'Do not announce billing, Marketplace, or native payments',
+  ]) {
+    assert.ok(checklist.includes(value), `release name/plugin checklist missing ${value}`);
+  }
+
+  for (const command of [
+    'claude plugin validate .claude-plugin/plugin.json',
+    'claude plugin tag .claude-plugin --dry-run',
+    'codex plugin marketplace add --help',
+    'npm publish --tag next --dry-run',
+    'npm run preview-pack:smoke',
+  ]) {
+    assert.ok(checklist.includes(command), `release name/plugin checklist missing command ${command}`);
+  }
+
+  assert.ok(launchChecklist.includes('release-name-plugin-publication-checklist-2026-05-18.md'));
+  assert.ok(referenceArchitecture.includes('Keep the release/name/plugin publication checklist current'));
+});
+
 test('release checklist and roadmap link to publication readiness evidence gate', () => {
   const launchChecklist = read('docs/releases/2.0.0-rc.1/launch-checklist.md');
   const roadmap = read('docs/ECC-2.0-GA-ROADMAP.md');

tests/hooks/insaits-security-monitor.test.js

@@ -75,7 +75,7 @@ function readAudit(root) {
 
 function runMonitor(options = {}) {
   if (!PYTHON) {
-    throw new Error('Python 3 is required for insaits-security-monitor.py tests');
+    throw new Error('Python 3 was expected to be available for this test run');
   }
 
   const tempDir = createTempDir();
@@ -119,6 +119,12 @@ function test(name, fn) {
 function runTests() {
   console.log('\n=== Testing insaits-security-monitor.py ===\n');
 
+  if (!PYTHON) {
+    console.log('  SKIP Python 3 not found; insaits-security-monitor.py subprocess tests require a Python runtime');
+    console.log('\nResults: Passed: 0, Failed: 0');
+    process.exit(0);
+  }
+
   let passed = 0;
   let failed = 0;
 

tests/scripts/operator-readiness-dashboard.test.js

@@ -66,15 +66,27 @@ function seedRepo(rootDir, overrides = {}) {
       'eb69412',
       'Marketplace webhook provenance',
       '2859678',
+      'Wrangler OAuth readback',
+      '42653f9',
+      'target account billing readback',
+      '632e059',
       'announcementGate',
       'ITO-55',
       'Linear live sync is current for the May 17 merge batch',
       'operator progress snapshot'
     ].join('\n'),
-    'docs/releases/2.0.0-rc.1/publication-readiness.md': 'Claude plugin Codex plugin',
+    'docs/releases/2.0.0-rc.1/publication-readiness.md': 'Claude plugin Codex plugin release-name-plugin-publication-checklist-2026-05-18.md',
     'docs/releases/2.0.0-rc.1/naming-and-publication-matrix.md': 'Claude plugin Codex plugin npm package Publication Paths',
+    'docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md': [
+      'Everything Claude Code (ECC)',
+      'ecc-universal',
+      'claude plugin tag .claude-plugin --dry-run',
+      'codex plugin marketplace add',
+      'Do not rename the repo or package until rc.1 is published'
+    ].join('\n'),
     'docs/releases/2.0.0-rc.1/preview-pack-manifest.md': [
       'publication-readiness.md release-notes.md quickstart.md',
+      'release-name-plugin-publication-checklist-2026-05-18.md',
       '`scripts/preview-pack-smoke.js`',
       'npm run preview-pack:smoke'
     ].join('\n'),
@@ -91,6 +103,12 @@ function seedRepo(rootDir, overrides = {}) {
       'PR queue',
       'Not complete'
     ].join('\n'),
+    'docs/releases/2.0.0-rc.1/owner-queue-cleanup-2026-05-18.md': [
+      'Owner-wide open PRs after cleanup: 0.',
+      'Owner-wide open issues after cleanup: 0.',
+      'Stale dependency-bot PRs closed: 24.',
+      'Stale legacy payments/0EM roadmap issues closed: 72.'
+    ].join('\n'),
     'docs/HERMES-SETUP.md': 'Hermes setup Public Release Candidate Scope',
     'skills/hermes-imports/SKILL.md': 'Hermes imports Sanitization Checklist Do not ship raw workspace exports Output Contract',
     'docs/stale-pr-salvage-ledger.md': [
@@ -260,13 +278,21 @@ function runTests() {
       )));
       assert.ok(report.requirements.some(item => (
         item.id === 'ecc-tools-next-level'
-          && item.gap === 'replace the invalid Cloudflare credential, create or verify Marketplace-managed Pro billing-state with webhook provenance, then run `billing:kv-readback -- --require-ready` and the live announcement gate'
+          && item.gap === 'create or verify Marketplace-managed Pro target billing-state with webhook provenance, then run `billing:kv-readback -- --account <github-login> --require-ready` with working Cloudflare API auth or repaired Wrangler OAuth, followed by the live announcement gate'
           && item.evidence.includes('operator-visible promotion output details')
           && item.evidence.includes('hosted promotion judge audit traces')
           && item.evidence.includes('billing announcement preflight')
           && item.evidence.includes('aggregate production billing KV readback')
+          && item.evidence.includes('Wrangler OAuth readback')
+          && item.evidence.includes('target-account billing readback')
           && item.evidence.includes('provenance-aware Marketplace billing-state gates')
       )));
+      assert.ok(report.requirements.some(item => (
+        item.id === 'naming-and-plugin-publication'
+          && item.artifact.includes('release-name-plugin-publication checklist')
+          && item.evidence.includes('release publication checklist')
+          && item.gap === 'real tag/push, marketplace submission, and final channel choice remain approval-gated'
+      )));
       assert.ok(report.requirements.some(item => (
         item.id === 'supply-chain-local-protection'
           && item.artifact.includes('AgentShield package-manager hardening')

tests/scripts/repair.test.js

@@ -12,6 +12,7 @@ const INSTALL_SCRIPT = path.join(__dirname, '..', '..', 'scripts', 'install-appl
 const DOCTOR_SCRIPT = path.join(__dirname, '..', '..', 'scripts', 'doctor.js');
 const REPAIR_SCRIPT = path.join(__dirname, '..', '..', 'scripts', 'repair.js');
 const REPO_ROOT = path.join(__dirname, '..', '..');
+const CLI_TIMEOUT_MS = 30000;
 const CURRENT_PACKAGE_VERSION = JSON.parse(
   fs.readFileSync(path.join(REPO_ROOT, 'package.json'), 'utf8')
 ).version;
@@ -51,7 +52,7 @@ function runNode(scriptPath, args = [], options = {}) {
       env,
       encoding: 'utf8',
       stdio: ['pipe', 'pipe', 'pipe'],
-      timeout: 10000,
+      timeout: options.timeout || CLI_TIMEOUT_MS,
     });
 
     return { code: 0, stdout, stderr: '' };
@@ -59,7 +60,7 @@ function runNode(scriptPath, args = [], options = {}) {
     return {
       code: error.status || 1,
       stdout: error.stdout || '',
-      stderr: error.stderr || '',
+      stderr: error.stderr || error.message || '',
     };
   }
 }