docs: record final public readiness pass

Author: Shaelz

CHANGELOG.md

@@ -18,6 +18,9 @@
   clone acquisition, Codex/Claude install paths, existing-target refusal,
   force reinstall, installed-package invocation, rerun behavior, small and
   medium map interpretation, deterministic checks, and remaining manual gates.
+- Record the final pre-public GitHub/API readiness pass and exact human action
+  checklist for visibility, public-only security features, rulesets, tag,
+  release, and post-public validation.
 - Align the README with the sister `codebase-orient` style, including a
   user-first quickstart, delegated install prompt, first-use separation,
   authority-boundary table, validation guidance, and release-status navigation.

docs/V1_RELEASE_PLAN.md

@@ -28,7 +28,8 @@ final validation record is frozen.
 The latest validated candidate content is deterministic-check ready for final
 publication preparation. An agent-mediated cold-user rehearsal now proves the
 README/SKILL acquisition, install, invocation, interpretation, and rerun path
-from a clean private GitHub clone. It is not public-release complete until
+from a clean private GitHub clone, and a final pre-public API/readiness pass
+found no new hosted-surface blocker. It is not public-release complete until
 external human validation or explicit maintainer acceptance, manual GitHub
 UI-only checks, public-only security/ruleset setup, and the final
 tag/release/publication decision finish. If maintainers choose a later content
@@ -724,14 +725,15 @@ and copyable agent briefing support.
 The next milestone is **M6: exact release candidate and v1 publication**. It
 must complete final manual GitHub UI checks, final public-only GitHub
 security/ruleset setup, and the publication decision before visibility changes.
-The agent-mediated cold-user rehearsal is complete; the maintainer can either
-accept it as sufficient for v1 or perform an additional external
-human-through-agent validation pass.
+The agent-mediated cold-user rehearsal and final pre-public API/readiness pass
+are complete; the maintainer can either accept the rehearsal as sufficient for
+v1 or perform an additional external human-through-agent validation pass.
 
 The initial GitHub exposure inventory, controlled rewrite plan, rewrite dry
 run, real private-history rewrite, private-safe GitHub settings pass, and
 validated-candidate deterministic release-candidate evidence are complete. The
-agent-mediated pre-public rehearsal is also complete. The next M6 execution
-slice is final manual/public-only release preparation; visibility remains
-private throughout. If maintainers choose a later content commit for tagging,
-exact-candidate validation must be refreshed again.
+agent-mediated pre-public rehearsal and final API/readiness pass are also
+complete. The next M6 execution slice is final manual/public-only release
+preparation; visibility remains private throughout. If maintainers choose a
+later content commit for tagging, exact-candidate validation must be refreshed
+again.

docs/ai/OPEN_QUESTIONS.md

@@ -16,7 +16,8 @@ Last refreshed: 2026-06-06
   applied, and the latest validated candidate content has deterministic
   release-candidate evidence from both the working tree and a fresh private
   clone. An agent-mediated cold-user rehearsal from a disposable GitHub clone is
-  recorded in `docs/releases/M6_PRE_PUBLIC_REHEARSAL.md`. Remaining gates are
+  recorded in `docs/releases/M6_PRE_PUBLIC_REHEARSAL.md`. A final pre-public
+  API/readiness pass found no new hosted-surface blocker. Remaining gates are
   final manual GitHub UI-only checks, public-only security/ruleset setup, and
   the final tag/release/publication decision. The maintainer may still choose
   to perform an additional external human-through-agent validation pass before

docs/releases/M6_GITHUB_EXPOSURE_AUDIT.md

@@ -5,6 +5,8 @@ settings pending
 
 Date: 2026-06-06
 
+Final pre-public API pass: 2026-06-06
+
 Repository: `Shaelz/codebase-visualize-skill`
 
 This record inventories surfaces that would become public with the repository.
@@ -64,7 +66,7 @@ remote was then rewritten and a fresh GitHub clone passed
 | Pages | not configured | retain disabled |
 | Wiki and discussions | disabled | retain disabled |
 | Projects | disabled | retain disabled |
-| Packages | no package publication is intended; `package.json` remains private; enumeration was unavailable to the current token | retain no-publication policy and verify manually |
+| Packages | no package publication is intended; `package.json` remains private; package views remain a manual UI check | retain no-publication policy and verify manually |
 | Hooks and deploy keys | none | retain empty |
 | Collaborators | owner only | retain |
 | Actions secrets and variables | none | retain empty |
@@ -88,6 +90,27 @@ The fallback security contact in `SECURITY.md` is an intentional published
 maintainer contact and is retained. Commit metadata still uses only the noreply
 identity after the planned rewrite.
 
+The final pre-public API pass also confirmed:
+
+- `main` is the only branch and is not yet protected while private;
+- no tags or releases exist;
+- no Issues or pull requests exist;
+- no Actions runs, artifacts, caches, environments, deployments, hooks, deploy
+  keys, Actions secrets, or Actions variables exist;
+- Pages returns no configured site;
+- rulesets are blocked until public or an upgraded plan;
+- vulnerability alerts are disabled/unavailable while private; and
+- the sibling public repository has active `Protect main history` and
+  `Protect version tags` rulesets, secret scanning, push protection, and
+  private vulnerability reporting enabled.
+
+Sibling ruleset details to recreate after publication:
+
+- `Protect main history`: target branch, include `refs/heads/main`,
+  enforcement active, block deletion and non-fast-forward updates.
+- `Protect version tags`: target tag, include `refs/tags/v*`, enforcement
+  active, block update, deletion, and non-fast-forward updates.
+
 ## Required Cleanup Before Visibility Changes
 
 1. Create a recoverable backup of all refs outside the working repository.
@@ -115,8 +138,9 @@ remain deferred until visibility and release timing make them safe.
 
 ## Decision
 
-The current tree, rewritten Git history, private-safe GitHub settings, and
-exact private release candidate are public-ready according to the maintained
-gates. The repository is not ready to become public until final cold-user
-validation, manual UI-only checks, public-only security/ruleset setup, and the
-final publication decision are complete.
+The current tree, rewritten Git history, private-safe GitHub settings, exact
+private release candidate, agent-mediated pre-public rehearsal, and final API
+readiness pass are public-ready according to the maintained gates. The
+repository is not ready to become public until manual UI-only checks,
+public-only security/ruleset setup, and the final publication decision are
+complete.

docs/releases/M6_RELEASE_CANDIDATE_VALIDATION.md

@@ -91,6 +91,16 @@ Linux-native Node:
 The Windows fresh GitHub clone remains the authoritative clean-clone evidence
 for this refreshed record.
 
+Later release-tracking docs record additional pre-public readiness evidence
+after this exact candidate content:
+
+- `M6_PRE_PUBLIC_REHEARSAL.md`
+- `PUBLIC_RELEASE_CHECKLIST.md`
+- `M6_GITHUB_EXPOSURE_AUDIT.md`
+
+If maintainers choose one of those later documentation commits as the final tag
+target, refresh exact-candidate validation for that later content.
+
 ## Live-Fire And Visual Evidence
 
 M5 live-fire and visual evidence still applies to this candidate. Additional

docs/releases/PUBLIC_RELEASE_CHECKLIST.md

@@ -39,6 +39,8 @@ requires otherwise:
 
 Audited: 2026-06-06
 
+Final pre-public API pass: 2026-06-06
+
 | Setting | Current visualize repo | Sibling-grade v1 target |
 | --- | --- | --- |
 | Visibility | private | public only after all gates pass |
@@ -80,6 +82,21 @@ history rewrite and tag recreation is complete.
 Keep `"private": true` in `package.json`. It prevents accidental publication to
 the npm registry and is independent of GitHub repository visibility.
 
+Current inspectable GitHub status:
+
+- `main` is the only branch.
+- No tags or releases exist.
+- No issues or pull requests exist.
+- No Actions runs, artifacts, caches, environments, deployments, hooks, deploy
+  keys, Actions secrets, or Actions variables exist.
+- Pages is not configured.
+- Rulesets are unavailable while the repository remains private on the current
+  plan.
+- Vulnerability alerts/private vulnerability reporting and security-analysis
+  features are unavailable or disabled while private.
+- The sibling public repo has private vulnerability reporting enabled, secret
+  scanning enabled, push protection enabled, and the two active rulesets above.
+
 ## Publication Order
 
 1. Sanitize the tracked current tree.
@@ -94,6 +111,64 @@ the npm registry and is independent of GitHub repository visibility.
    releases, and the sibling-grade rulesets.
 10. Publish the final immutable `v1.0.0` release.
 
+## Final Human Action Checklist
+
+### Before changing visibility
+
+- Confirm the repository is still private.
+- Confirm default branch is `main`.
+- Confirm only `main` exists as a branch.
+- Confirm no tags or releases exist unless intentionally created for the final
+  release flow.
+- Confirm no issues, pull requests, Actions runs/artifacts/caches, deployments,
+  environments, Pages site, wiki, discussions, projects, hooks, deploy keys,
+  Actions secrets, or Actions variables have appeared since this record.
+- Manually glance at GitHub UI-only surfaces not fully represented by the API:
+  social preview, package views, repository header/about panel, and Security
+  tab availability.
+- Decide whether the agent-mediated cold-user rehearsal is sufficient for v1 or
+  whether to run an additional external human-through-agent validation pass.
+- If the final tag target includes commits after the latest exact-candidate
+  validation record, refresh exact-candidate validation for that target before
+  tagging.
+
+### Immediately after changing visibility to public
+
+- Re-check repository header/about metadata and topics.
+- Enable supported security features:
+  - secret scanning;
+  - push protection;
+  - private vulnerability reporting;
+  - Dependabot/security alerts if available and desired.
+- Create ruleset `Protect main history`:
+  - target: branch;
+  - include: `refs/heads/main`;
+  - enforcement: active;
+  - rules: block deletion and non-fast-forward updates.
+- Create ruleset `Protect version tags`:
+  - target: tag;
+  - include: `refs/tags/v*`;
+  - enforcement: active;
+  - rules: block update, deletion, and non-fast-forward updates.
+
+### Before or while creating `v1.0.0`
+
+- Confirm `package.json` intentionally remains `"private": true`.
+- Confirm the release tag target is the exact validated candidate.
+- Create `v1.0.0` only after the final exact-candidate decision.
+- Publish release notes from `CHANGELOG.md` and the frozen validation evidence.
+- Do not upload release assets unless there is an intentional, documented asset.
+
+### After release publication
+
+- Confirm the public repo page renders README, license, security policy, and
+  code of conduct correctly.
+- Confirm rulesets are active and protect `main` and `v*` tags.
+- Confirm public clone/install instructions work from the release tag or
+  release archive.
+- Freeze the final v1 validation record and only then run the post-v1
+  documentation compaction pass.
+
 ## M6 GitHub Exposure Audit
 
 Before changing visibility, inspect everything that may become visible or
@@ -139,6 +214,8 @@ Current deterministic candidate status:
 - Latest validated candidate content has fresh working-tree and clean-clone
   deterministic validation evidence.
 - Agent-mediated cold-user and pre-public rehearsal evidence is recorded.
+- Final pre-public API/readiness pass was performed while private; no new
+  hosted-surface blocker was found.
 - Final manual GitHub UI-only checks, public-only security/ruleset setup, and
   final tag/release/publication decisions remain. Maintainers may still choose
   to perform an additional external human-through-agent validation pass.