Back to Everything Claude Code

ECC v2.0.0-rc.1 Publication Evidence - 2026-05-18

docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md

2.0.018.9 KB
Original Source

ECC v2.0.0-rc.1 Publication Evidence - 2026-05-18

This is release-readiness evidence only. It does not create a GitHub release, npm publication, plugin tag, marketplace submission, or announcement post.

Source Commit

FieldEvidence
Upstream main4470e2e6702f17099d6feb137ba03ff00582c202
Git remotehttps://github.com/affaan-m/everything-claude-code.git
Evidence scopeCurrent main after PR #1970 workflow-security validator bypass fixes, PR #1971 metrics bridge cost-reporting fixes, PR #1972 uncloud skill merge, PR #1973 stale script cleanup, issue #1974 cost-reporting verification/closure, PR #1976 OpenAI/AstraFlow provider response guards, PR #1978 review/closure, catalog/operator dashboard refresh, ECC-Tools Wrangler OAuth billing readback mirror, AgentShield 840952a fleet-ticket and Mini Shai-Hulud IOC evidence mirror, Mini Shai-Hulud/TanStack protection recheck, defensive-deny IOC scanner hardening, release name/plugin publication checklist, readiness/smoke gate enforcement for that checklist, release OIDC publishing-scope hardening, workflow line-ending normalization, current-head CI/security scan, work-items sync, Linear progress sync, the ITO-46 publication-path dry-run refresh, ITO-46 Linear closure, and the post-closure operator dashboard refresh
Local status caveatgit status --short --branch was clean at dashboard generation time; generated evidence files are committed after the source snapshot they describe

The actual release operator should repeat all publish-facing checks from the final release commit with a strictly clean checkout before publishing.

Queue And Discussion State

SurfaceCommandResult
Trunk PRsgh pr list --limit 100 --json number,title,state,author,updatedAt,url0 open PRs
Trunk issuesgh issue list --limit 100 --json number,title,state,updatedAt,url,labels0 open issues
Discussion auditnpm run discussion:audit -- --jsonReady; 58 sampled discussions in affaan-m/everything-claude-code, 0 needing maintainer touch, 0 answerable discussions missing accepted answer, and 0 fetch errors
Platform auditnode scripts/platform-audit.js --json --allow-untracked docs/drafts/Ready; tracked repos report 0 open PRs, 0 open issues, 0 discussion maintainer-touch gaps, 0 answerable Q&A missing accepted answers, and 0 blocking dirty files
Work-items syncnode scripts/work-items.js sync-github --repo <tracked-repo> for five tracked repos; node scripts/status.js --json; node scripts/work-items.js list --jsonAll five tracked repos synced with 0 open PRs/issues and no changed work items; local status reports 0 open, 0 blocked, and 0 closed work items
Operator dashboardnpm run operator:dashboard -- --markdown --write docs/releases/2.0.0-rc.1/operator-readiness-dashboard-2026-05-18.mdRegenerated at 4470e2e6702f17099d6feb137ba03ff00582c202; dashboard ready true, publication ready false because release, npm, plugin, billing, and announcement gates are approval-gated; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos; AgentShield enterprise evidence includes 840952a; ECC Tools native-payments gate now names the narrowed ITO-61 blocker: create or verify Marketplace-managed Pro target billing-state with webhook provenance, configure the target account and INTERNAL_API_SECRET, then rerun target readback and the live announcement gate

Tracked repositories in the platform audit and work-items sync were:

  • affaan-m/everything-claude-code
  • affaan-m/agentshield
  • affaan-m/JARVIS
  • ECC-Tools/ECC-Tools
  • ECC-Tools/ECC-website

Merge And Triage Batch

ItemResult
PR #1970Merged workflow-security validator fixes for quoted write-all and refs/pull/* checkout bypasses; main includes e06d0382 and 7bb31720 from that slice
PR #1971Merged metrics bridge cost-reporting fixes, full costs-file scan behavior, and persistent warning de-duplication across hook subprocesses; main includes commits through 9b1d8918
PR #1972Merged skills/uncloud/SKILL.md with activation structure and uncloud command references; main includes 8b6aed0, 2e5f30f, and caee7cf
PR #1973Merged stale skills/strategic-compact/suggest-compact.sh removal after confirming the active hook is scripts/hooks/suggest-compact.js; remote main includes 812d4d06
Issue #1974Closed after verifying current origin/main already reads the latest cumulative metrics bridge cost row and focused cost/metrics tests pass
Catalog/operator refreshPushed 81fca2ce to refresh generated catalog count, URL ledger, and operator dashboard state after #1973/#1974
PR #1976Merged provider response hardening for OpenAI-compatible and AstraFlow providers; main includes eb0d8939 follow-up guards for empty/filtered provider choices, missing OpenAI response.usage, shared filtered-response error text, and credential-less provider construction validation
Provider guard validationuv run --extra dev pytest -q tests/test_provider_tools.py tests/test_astraflow_provider.py, uv run --extra dev pytest -q, node tests/run-all.js, and git diff --check passed before merging #1976 follow-up into main: 11 provider-focused Python tests, 76 full Python tests, 2509 Node tests, and clean whitespace checks
Defensive-deny IOC scanner hardeningPushed 04d4d819 so explicit Claude permissions.deny IOC entries are treated as defensive controls while the same IOC still fails in hooks, tasks, scripts, locks, and payload files; local npm test passed 2511/2511 and current-head CI 26017368895 passed 37/37
Release name/plugin publication checklistPushed 6c0fbfb6 to add docs/releases/2.0.0-rc.1/release-name-plugin-publication-checklist-2026-05-18.md; the artifact freezes rc.1 as Everything Claude Code / ECC, keeps npm ecc-universal, keeps Claude/Codex plugin slug ecc, cites current Anthropic/OpenAI plugin publication paths, and blocks rename/npm publish/plugin tag/submission/billing/social actions until final release evidence exists; GitHub Actions CI 26034898420 passed
Dashboard and preview-pack checklist enforcementAdded 680aeff0 so scripts/operator-readiness-dashboard.js and scripts/preview-pack-smoke.js require the release-name/plugin publication checklist; local dashboard and smoke tests passed and preview-pack smoke now enforces 26 required artifacts
AgentShield enterprise evidence mirrorAdded 2ba0c62d and refreshed the dashboard generator/GA roadmap/AgentShield enterprise roadmap so the ECC release evidence names AgentShield 840952a fleet review ticket payloads and current Mini Shai-Hulud IOC breadcrumb coverage
PR #1978Closed broad/failing outside Excel harness PR after review; recorded a corrected split path for a future smaller Excel harness proposal, install-target/tooling PR, plugin-runtime PR, and translation-automation PR
Announcement draft trackingAdded docs/drafts/release-1.10.1-announcement.md so the stabilization announcement draft is tracked instead of remaining as release-blocking untracked local state
Clean-worktree preview-pack smokeDetached worktree at 680aeff0fb9a8598858e3105ba4742973ef386ab; node scripts/preview-pack-smoke.js --root <worktree> --format json passed 5/5 with digest 0ed831dbd0cf; 26 required artifacts, final verification commands, Hermes public sanitization boundary, and approval-gated publication blockers were all preserved
Public queuesRechecked after the merge and issue-closure batch; 0 PRs, 0 issues, and 0 discussion gaps remain across tracked repos
Release OIDC publishing scopePushed 7911af4a to keep the release workflow's trusted-publishing path scoped to release publication instead of broadening OIDC permissions across unrelated jobs; local workflow security validation passed
Release workflow normalizationPushed 97567a91 to normalize release workflow line endings after the OIDC hardening slice; current-head CI 26050727969 passed for 97567a91e79e1ee4c291eb78f5f9c30c2046ac94
Operator readiness evidence refreshPushed 0f1775e3, fe7b4f2b, and 67e63e63 to refresh blocker evidence, regenerate the operator dashboard, and align publication readiness to the latest CI/security evidence; pushed 4470e2e6 to close ITO-46 publication-path evidence, then regenerated the dashboard at 4470e2e6702f17099d6feb137ba03ff00582c202; current-head CI 26057806361 passed for 4470e2e6702f17099d6feb137ba03ff00582c202

Supply-Chain And Security Evidence

GateCommandResult
Repo IOC scannpm run security:ioc-scanPassed; 198 files inspected
Home persistence IOC scannode scripts/ci/scan-supply-chain-iocs.js --home --jsonPassed; 200 files inspected; findings: []
ECC workspace IOC rechecknode scripts/ci/scan-supply-chain-iocs.js --root <local ECC root> --home --jsonPassed; 1212 files inspected; findings: []; exact local path is kept out of public release evidence
Narrow active persistence sweepTargeted search over user-level Claude, VS Code, LaunchAgent/systemd, local-bin, /tmp, and /private/tmp campaign pathsExisting active targets: 2; no campaign marker hits
Scanner fixture testsnode tests/ci/scan-supply-chain-iocs.test.js20 passed, 0 failed, including defensive Claude deny-wall pass and hook-with-same-IOC fail-closed coverage
Advisory source refreshnode scripts/ci/supply-chain-advisory-sources.js --refresh --jsonReady with 9 sources; live refresh produced 1 OpenAI URL warning from Node fetch while primary TanStack, GitHub advisory, StepSecurity, Wiz, Socket, npm, and CISA sources returned OK
No-lifecycle installnpm ci --ignore-scriptsCompleted cleanly; 213 packages installed, 0 vulnerabilities
npm auditnpm audit --audit-level=high0 vulnerabilities
npm signaturesnpm audit signatures213 verified registry signatures; 17 verified attestations
Workflow securitynode scripts/ci/validate-workflow-security.jsValidated 8 workflow files after the release OIDC publishing-scope hardening
AgentShield project scannpx --no-install ecc-agentshield scan --format jsonGrade A / 99; 0 critical, 0 high, 0 medium; 6 low docs-example skill telemetry/governance findings
Current-head CI security scangh run view 26057806361 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,jobs,urlCompleted successfully for 4470e2e6702f17099d6feb137ba03ff00582c202; 37/37 CI jobs passed, including lint, workflow/component validation, coverage, cross-platform package-manager tests, npm audit, and supply-chain IOC scan
Latest Supply-Chain Watchgh run view 26010432490 --repo affaan-m/everything-claude-code --json status,conclusion,headSha,urlCompleted successfully for 25ac57ac40e9fc5a0606e76e6339e72c79748c99; rerun from the final release commit before publication

ITO-46 Publication Path Refresh

GateCommandResult
Clean publication-path baselinegit status --short --branch; git rev-parse HEAD; git remote get-url originClean main at 67e63e63f9bfd074bd6a21bf6bac71f3dfefa58b; remote https://github.com/affaan-m/everything-claude-code.git
Package/plugin identity readbacknode -p "JSON.stringify({pkg, claude, codex, opencode}, null, 2)"[email protected]; Claude plugin [email protected]; Codex plugin [email protected]; OpenCode package [email protected]
Name availabilitynpm view ecc name version description repository.url --json; npm view @affaan-m/ecc name version --json; npm view ecc-universal name version dist-tags --jsonecc is occupied by unrelated [email protected]; @affaan-m/ecc returns 404; ecc-universal registry latest remains 1.10.0 with no next dist-tag
Plugin manifest testsnode tests/plugin-manifest.test.js54 passed, 0 failed
Release surface testsnode tests/docs/ecc2-release-surface.test.js21 passed, 0 failed
Claude plugin validationclaude plugin validate .claude-plugin/plugin.json; claude plugin validate .; claude plugin tag .claude-plugin --dry-runClaude Code 2.1.143; manifest validation passed; full plugin validation passed with one expected root CLAUDE.md context warning; tag dry run would create ecc--v2.0.0-rc.1
Claude marketplace source helpclaude plugin marketplace add --help; claude plugin marketplace update --helpMarketplace add supports URL, local path, GitHub repo, --scope, and --sparse; update supports targeted or all-marketplace refresh
Codex marketplace helpcodex plugin marketplace add --helpCodex CLI 0.131.0; marketplace add supports local paths, owner/repo[@ref], HTTPS Git URL, SSH Git URL, --ref, and --sparse
Codex local marketplace smokeHOME="$(mktemp -d)" codex plugin marketplace add ./Added marketplace ecc from the local checkout without touching the real Codex config
Codex GitHub-ref marketplace smokeHOME="$(mktemp -d)" codex plugin marketplace add affaan-m/everything-claude-code --ref "$(git rev-parse HEAD)"Added marketplace ecc from the public GitHub repo pinned to 67e63e63f9bfd074bd6a21bf6bac71f3dfefa58b without touching the real Codex config
npm package dry-runNPM_CONFIG_USERCONFIG=/dev/null npm pack --dry-run --json; NPM_CONFIG_USERCONFIG=/dev/null npm publish --tag next --dry-runPack produced ecc-universal-2.0.0-rc.1.tgz, 2228 files, 4,348,504 bytes packed, 13,024,929 bytes unpacked, shasum 29d6a17029d80f5cb1df068880ba86c55a5d60f1; publish dry-run would publish [email protected] with tag next
OpenCode package buildnpm run build:opencodePassed
Preview pack smokenpm run preview-pack:smokeReady yes; digest 0ed831dbd0cf; 5 passed, 0 failed
Official docs checkAnthropic https://code.claude.com/docs/en/plugins and https://code.claude.com/docs/en/plugin-marketplaces; OpenAI https://developers.openai.com/codex/plugins/buildAnthropic documents self-hosted marketplace sources; OpenAI documents repo/personal marketplaces and the official Plugin Directory. ECC has not created a real release tag, official listing, or npm publication in this pass
ITO-46 closureLinear ITO-46 comment 9ef92056-ab23-4eed-bfdb-932dddc2b056; Linear issue status Done; GitHub Actions 26057806361Publication-path docs now record every channel, name conflicts, package/plugin dry-run commands, and blocker register; Codex repo-marketplace distribution is verified but official Plugin Directory listing is not claimed before OpenAI submission/listing evidence

Linear Progress Sync

SurfaceEvidence
ITO-57 issue comments0b9931b9-1556-4ebc-a70c-f3635557625d records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply 6fa15367-d994-4e53-ade3-9462477e1100 records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI 26017368895, and post-push platform audit; comment 3fe5b2b7-c4fe-401c-a317-b40d72119cb3 records the final emergency refresh against 97567a91, AgentShield 4e36aab, clean ECC/Ito/Documents workspace IOC scans, absent dead-man/persistence artifacts, and package-manager/Claude deny-wall posture; comment 43837404-c01c-4aaa-b5e2-1e784c136d69 records ECC-Tools brace-expansion alert 44 fixed in e56fc1a with CI 26054671308 and Dependabot API state: fixed
ITO-52 issue statusf2e5a208-de91-4a3a-960b-5362d12aa5a4 records ECC-Tools 69ca535 team-learning feedback controls, local verification, and CI 26054455434; Linear ITO-52 is Done
ITO-61 issue status6904e4fb-bec7-4787-90e2-759f077a628c records the narrowed native-payments readback blocker: Wrangler OAuth now works, aggregate readback is clean, but there is still no Marketplace-managed Pro target billing-state with webhook provenance and the local announcement preflight is missing the target account plus INTERNAL_API_SECRET
ECC platform project commente32e5b7a-287b-4bf4-9ed7-314389a157e1 records the earlier current public queue, security, #1976, and remaining-gate state at the project level; follow-up ITO-44 comments a01eeef3-c69b-48c0-8804-a4682acfc1ef and 6b0885cc-c4e9-40db-899b-f7b88b4aa046 record ITO-52 completion and the fixed ECC-Tools Dependabot alert
Project status update caveatLinear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface

Current Publication Blockers

  • GitHub prerelease v2.0.0-rc.1 is still not created in this pass.
  • npm [email protected] is still not published to the next dist-tag.
  • Claude plugin tag and marketplace propagation remain approval-gated.
  • Codex repo-marketplace distribution is verified for rc.1, but official Plugin Directory publishing remains blocked on OpenAI's self-serve publishing surface.
  • ECC Tools billing/native-payments copy remains blocked until a Marketplace Pro purchase/webhook path writes ready production billing-state:* provenance for the target Marketplace test account, then npm run billing:kv-readback -- --account <github-login> --require-ready with working Cloudflare API auth or repaired Wrangler OAuth, followed by npm run billing:announcement-gate -- --account <github-login>, return announcement-ready gates. The latest Wrangler OAuth aggregate readback found 256 account-billing:* records, 256 billing-state:* records, 197 Marketplace-source records, 59 Stripe-source records, 53 Pro records, 4 Marketplace webhook-provenance records, all Open Source, 0 Marketplace Pro states, 0 ready-like Marketplace Pro states, and 0 parse failures. ECC-Tools commit 632e059 adds the follow-up target-account readback mode, redacts the account login and raw KV key names, and requires both target key families before --require-ready can pass. ECC-Tools commit 13cd3fc normalizes billing-state key casing. The latest ITO-61 retry fails because no Marketplace-managed Pro state exists and the announcement preflight is missing the target account plus INTERNAL_API_SECRET; Linear ITO-61 tracks the exact target-account acceptance criteria.
  • Release notes, X, LinkedIn, GitHub release, and longform copy still need final live URLs after release/package/plugin URLs exist.
  • The local checkout is clean after the dashboard/evidence refresh, but a strict clean-checkout release pass remains required before real publication.

Result

The tracked public PR queue, issue queue, discussion queue, local work-items bridge, release-name/plugin publication gate, and Mini Shai-Hulud/TanStack protection loop are current on May 18, 2026 for current main through 97567a91, with follow-up ECC Tools billing-gate hardening in 632e059 and AgentShield enterprise/security hardening through 4e36aab. This improves publication readiness but does not replace the approval-gated release, package, plugin, billing, and announcement steps in publication-readiness.md.