docs: refresh release blockers evidence

docs/ECC-2.0-GA-ROADMAP.md

@@ -340,6 +340,24 @@ As of 2026-05-18:
   real Marketplace-managed Pro webhook creates target account provenance and
   `billing:kv-readback -- --wrangler --wrangler-bin ./node_modules/.bin/wrangler --account <github-login> --require-ready`
   plus the official internal announcement gate pass.
+- ECC-Tools commit `13cd3fc` normalizes billing-state key casing so
+  Marketplace webhook writes and announcement readbacks agree on GitHub login
+  case; current-head CI `26037611421` passed. The code-side readback hardening
+  remains green, but it does not create live Marketplace Pro state.
+- ECC-Tools commit `69ca535` surfaces hosted team-learning feedback controls:
+  harness compatibility and team-backlog routing now show retention days,
+  deletion route/SLA, and opt-out route before adaptive recommendations are
+  routed into team-owned queues. Linear ITO-52 is Done with CI `26054455434`.
+- ECC-Tools commit `e56fc1a` updates the lockfile for
+  `brace-expansion@5.0.6` and fixed Dependabot alert 44 for CVE-2026-45149;
+  GitHub API reported `state: fixed` at `2026-05-18T19:10:15Z` and current-head
+  CI `26054671308` passed.
+- The latest ITO-61 readback retry remains operationally blocked: Wrangler
+  Cloudflare API auth returned `Authentication error [code: 10000]`,
+  1Password CLI authorization timed out, `billing:announcement-gate -- --preflight`
+  is missing the target Marketplace account plus `INTERNAL_API_SECRET`, and
+  native-payments copy remains blocked until the target readback and live
+  announcement gate pass.
 - Handoff `ecc-supply-chain-audit-20260513-0645.md` under
   `~/.cluster-swarm/handoffs/`
   records the May 13 supply-chain sweep: no active lockfile/manifest hit for

docs/releases/2.0.0-rc.1/publication-evidence-2026-05-18.md

@@ -79,8 +79,10 @@ Tracked repositories in the platform audit and work-items sync were:
 
 | Surface | Evidence |
 | --- | --- |
-| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit; comment `3fe5b2b7-c4fe-401c-a317-b40d72119cb3` records the final emergency refresh against `97567a91`, AgentShield `4e36aab`, clean ECC/Ito/Documents workspace IOC scans, absent dead-man/persistence artifacts, and package-manager/Claude deny-wall posture |
-| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the same current public queue, security, #1976, and remaining-gate state at the project level |
+| ITO-57 issue comments | `0b9931b9-1556-4ebc-a70c-f3635557625d` records May 18 queue counts, #1970/#1971/#1972/#1976 merge evidence, supply-chain verification, current-head CI URL, deferred gates, and next slices; reply `6fa15367-d994-4e53-ade3-9462477e1100` records the expanded TanStack/Mini Shai-Hulud recheck, defensive-deny scanner fix, current-head CI `26017368895`, and post-push platform audit; comment `3fe5b2b7-c4fe-401c-a317-b40d72119cb3` records the final emergency refresh against `97567a91`, AgentShield `4e36aab`, clean ECC/Ito/Documents workspace IOC scans, absent dead-man/persistence artifacts, and package-manager/Claude deny-wall posture; comment `43837404-c01c-4aaa-b5e2-1e784c136d69` records ECC-Tools `brace-expansion` alert 44 fixed in `e56fc1a` with CI `26054671308` and Dependabot API `state: fixed` |
+| ITO-52 issue status | `f2e5a208-de91-4a3a-960b-5362d12aa5a4` records ECC-Tools `69ca535` team-learning feedback controls, local verification, and CI `26054455434`; Linear ITO-52 is Done |
+| ITO-61 issue status | `8c366592-1c9a-48ad-b9a9-2908a0463fa5` records the latest native-payments readback blocker: Wrangler Cloudflare auth `10000`, 1Password CLI authorization timeout, missing Marketplace target account, and missing `INTERNAL_API_SECRET` |
+| ECC platform project comment | `e32e5b7a-287b-4bf4-9ed7-314389a157e1` records the earlier current public queue, security, #1976, and remaining-gate state at the project level; follow-up ITO-44 comments `a01eeef3-c69b-48c0-8804-a4682acfc1ef` and `6b0885cc-c4e9-40db-899b-f7b88b4aa046` record ITO-52 completion and the fixed ECC-Tools Dependabot alert |
 | Project status update caveat | Linear returned "Project status updates are not enabled for this workspace"; project comment was used as the supported status surface |
 
 ## Current Publication Blockers
@@ -105,8 +107,12 @@ Tracked repositories in the platform audit and work-items sync were:
   currently fails with Cloudflare authentication error `10000`. ECC-Tools
   commit `632e059` adds the follow-up target-account readback mode, redacts
   the account login and raw KV key names, and requires both target key families
-  before `--require-ready` can pass. Linear ITO-61 now tracks the exact
-  target-account acceptance criteria.
+  before `--require-ready` can pass. ECC-Tools commit `13cd3fc` normalizes
+  billing-state key casing. The latest ITO-61 retry still fails before readback
+  because Wrangler Cloudflare auth returns `10000`, 1Password CLI authorization
+  timed out, and the announcement preflight is missing the target account and
+  `INTERNAL_API_SECRET`; Linear ITO-61 tracks the exact target-account
+  acceptance criteria.
 - Release notes, X, LinkedIn, GitHub release, and longform copy still need final
   live URLs after release/package/plugin URLs exist.
 - The local checkout is clean after the dashboard/evidence refresh, but a