elias/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-21 06:59:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
everything-claude-code/docs/releases/2.0.0-rc.1/publication-evidence-2026-05-15.md

136 lines
7.5 KiB
Markdown
Raw Blame History

# ECC v2.0.0-rc.1 Publication Evidence - 2026-05-15
This is release-readiness evidence only. It does not create a GitHub release,
npm publication, plugin tag, marketplace submission, or announcement post.
## Source Commit
| Field | Evidence |
| --- | --- |
| Upstream main base | `acbc152375c215b4fe2a20abb29dfb733727c4cb` |
| Evidence branch | `docs/ecc2-rc1-preview-pack-refresh` |
| Evidence scope | Current `main` after PR #1921, #1924, #1925, #1926, AgentShield #83/#84 follow-ups, and ECC-Tools #74 billing verifier follow-up |
| Git remote | `https://github.com/affaan-m/everything-claude-code.git` |
| Local status caveat | Working tree had the unrelated untracked `docs/drafts/` directory before this docs refresh |
The actual release operator should repeat all publish-facing checks from the
final release commit with a clean checkout before publishing.
## Queue And Discussion State
| Surface | Command | Result |
| --- | --- | --- |
| Trunk PRs/issues | `gh pr list` and `gh issue list` for `affaan-m/everything-claude-code` | 0 open PRs, 0 open issues |
| AgentShield PRs/issues | `gh pr list` and `gh issue list` for `affaan-m/agentshield` | 0 open PRs, 0 open issues |
| JARVIS PRs/issues | `gh pr list` and `gh issue list` for `affaan-m/JARVIS` | 0 open PRs, 0 open issues |
| ECC Tools PRs/issues | `env -u GITHUB_TOKEN gh pr list` and `env -u GITHUB_TOKEN gh issue list` for `ECC-Tools/ECC-Tools` | 0 open PRs, 0 open issues |
| ECC website PRs/issues | `env -u GITHUB_TOKEN gh pr list` and `env -u GITHUB_TOKEN gh issue list` for `ECC-Tools/ECC-website` | 0 open PRs, 0 open issues |
| Trunk discussions | GraphQL discussion count and maintainer-touch sweep | 58 total discussions; 0 without maintainer touch after May 15 maintainer comments |
| Other repo discussions | GraphQL discussion count for AgentShield, JARVIS, ECC Tools, and ECC website | Discussions disabled or 0 total |
The ECC Tools organization is reachable with the configured GitHub host
credential. In this shell, the exported `GITHUB_TOKEN` overrides that credential
and causes false 404/403 failures for `ECC-Tools/*`. Use `env -u GITHUB_TOKEN`
for ECC Tools verification commands until that environment override is cleaned
up.
## Linear Roadmap State
The detailed execution roadmap now lives in Linear project:
<https://linear.app/itomarkets/project/ecc-platform-roadmap-52b328ee03e1>
The project contains 16 issue-level lanes and 5 milestones:
| Milestone | Issues |
| --- | --- |
| Security and Access Baseline | `ITO-44`, `ITO-57`, `ITO-58` |
| ECC 2.0 Preview and Publication | `ITO-45`, `ITO-46`, `ITO-47`, `ITO-56` |
| AgentShield Enterprise Iteration | `ITO-48`, `ITO-49` |
| ECC Tools Next-Level Platform | `ITO-50`, `ITO-51`, `ITO-52`, `ITO-53`, `ITO-54`, `ITO-59` |
| Legacy Audit and Salvage | `ITO-55` |
Project documents added in Linear:
- Roadmap Index and Current Execution Baseline
- Status Update 2026-05-15
- GitHub Queue Snapshot 2026-05-15
- Completion Audit Snapshot 2026-05-15
- Discussion Queue Evidence 2026-05-15
- ECC-Tools Access Evidence 2026-05-15
## Supply-Chain Evidence
| Surface | Evidence |
| --- | --- |
| PR #1921 | Merged supply-chain IOC expansion for Mini Shai-Hulud/TanStack follow-up |
| Node IPC follow-up / PR #1924 | Added May 14 `node-ipc` malicious-version, hash, DNS, and runtime IOC coverage |
| PR #1926 | Added `platform:audit` and `security-ioc-scan` command surfaces plus release workflow IOC gates |
| AgentShield PR #83 | Merged Mini Shai-Hulud IOC coverage for TanStack, Mistral, OpenSearch, Guardrails, UiPath, Squawk, Claude Code / VS Code persistence, and dead-man switch artifacts |
| AgentShield PR #84 | Merged the broader Mini Shai-Hulud full-campaign affected-package table, including additional `@cap-js`, `@draftlab`, `@tallyui`, `intercom-client`, `lightning`, and related package/version IOCs |
| Trunk merge commits | `f04702bdac132662c8496e817bcd850c86e2b854`, `ee85e1482e3d6322ddb2706392ea0fc97469bd26`, `13585f1092c92fa3f20ffe0d756e40c5720b0de5` |
| AgentShield merge commits | `f899b27ba3fa60ec7e0dca41cc2dadcb1a1fb75d`, `d1aa5313afd915d0b7296e57aabaeb979b1ea93b` |
| Local IOC tests | `node tests/ci/scan-supply-chain-iocs.test.js` passed 12/12 |
| Unicode safety | `node scripts/ci/check-unicode-safety.js` passed |
| IOC scan | `npm run security:ioc-scan` passed |
| Root suite | `npm test` passed 2427/2427, 0 failed |
| Repo sweeps | `node scripts/ci/scan-supply-chain-iocs.js --root <ECC-workspace> --home` passed with 1238 files inspected; targeted persistence path checks found no active `gh-token-monitor`, `pgsql-monitor`, `transformers.pyz`, or `pgmonitor.py` artifacts |
The May 15 IOC expansion added coverage for OpenSearch/Mistral/Guardrails/
UiPath/Squawk-style campaign variants, `opensearch_init.js`, `vite_setup.mjs`,
dead-drop/session protocol strings, and AI-tooling persistence surfaces without
committing full high-entropy indicators that trip secret scanners.
The May 15 node-ipc follow-up blocks `node-ipc@9.1.6`, `9.2.3`, `10.1.1`,
`10.1.2`, `11.0.0`, `11.1.0`, and `12.0.1`, plus the `node-ipc.cjs` payload
hash, malicious tarball hashes, DNS exfil domains, and runtime markers reported
by Socket.
AgentShield PR #83 adds the matching scanner-side enterprise coverage:
version-pinned package detections, `.claude` / `.vscode` automation-surface
discovery, `gh-token-monitor` LaunchAgent/systemd/local-bin artifact detection,
network/payload IOCs, built action/CLI bundles, 1758/1758 local tests, and
green GitHub Actions verification before merge.
AgentShield PR #84 closes the later full-campaign package-table gap by adding
the extra affected npm package scopes and unscoped packages reported in the
current Wiz table, rebuilding `dist/action.js` and `dist/index.js`, and passing
1758/1758 local tests plus the full AgentShield GitHub Actions matrix before
merge.
## Preview Pack State
`preview-pack-manifest.md` now assembles the rc.1 preview-pack boundary:
- release notes, quickstart, launch checklist, publication readiness, naming
matrix, and May 15 evidence;
- `docs/HERMES-SETUP.md` and `skills/hermes-imports/SKILL.md` as the public
Hermes-specialized surface;
- cross-harness, harness-adapter, observability, and progress-sync docs;
- X, LinkedIn, article, Telegram, and demo collateral that must receive final
live URLs after release/package/plugin publication;
- explicit blockers for GitHub release, npm `next` publish, Claude plugin,
Codex plugin, ECC Tools billing/product-readiness, and announcements.
The preview pack is assembled for final clean-checkout gating, but it is still
not a publication action.
## Current Publication Blockers
- GitHub prerelease `v2.0.0-rc.1` is still not created in this pass.
- npm `ecc-universal@2.0.0-rc.1` is still not published to the `next` dist-tag.
- Claude plugin tag and marketplace propagation remain approval-gated.
- Codex plugin public marketplace/manual submission path still needs final
owner verification.
- ECC Tools PR #73 added a fail-closed `/api/billing/readiness`
`announcementGate` for native GitHub payments claims, and ECC Tools PR #74
added `npm run billing:announcement-gate` as the operator verifier, but the
live Marketplace-managed test-account readback still must return
`announcementGate.ready === true` before any public payment announcement.
- Release notes, X, LinkedIn, and longform copy still need final live URLs after
release/package/plugin URLs exist.
## Result
The queue, discussion, Linear roadmap, and supply-chain evidence are fresher
than the May 13 publication evidence. They improve readiness, but they do not
replace the final clean-checkout publish pass required by
`publication-readiness.md`.
Reference in New Issue View Git Blame Copy Permalink