[v1 readiness][maximus] Docs, SECURITY, and npm wrapper parity freeze

[JeremyDev87]

[v1 readiness][maximus] Docs, SECURITY, and npm wrapper parity freeze

Goal

Freeze public docs so README, CONTRIBUTING, SECURITY, runtime docs, and release docs describe the same v1 behavior and support boundaries.

Source of Truth

• Parent epic: [v1 readiness] Maximus release gate epic (no version bump) #114
• Repo: JeremyDev87/maximus
• Parent implementation plan artifact: /Users/pjw/.hermes/thread-workcells/discord/282499436049858561/1508085811139051580/TASKS/v1-ddplan-issues/IMPLEMENTATION_PLAN.md
• Version bump, tag, publish, CI dispatch, branch, commit, and PR creation are out of scope for this issue.

Wiki Context Manifest

• Queries attempted: frontend evidence gates release evidence contract, code is not cheap AI maintenance cost ratio, alex core invariants SSoT No Silent Fallback idempotency, 12-factor agents runtime contract event log release workflow, overeager coding agents task scope destructive action, prompt assets skill issue planning evidence
• Wiki sources read: [wiki: frontend/evidence-gates.md], [wiki: principles/code-is-not-cheap.md], [wiki: principles/alex-core-invariants.md], [wiki: harness-engineering/12-factor-agents-runtime-contract.md], [wiki: harness-engineering/overeager-coding-agents-scope-contract.md], [wiki: harness-engineering/prompt-assets.md], [wiki: raw/2026-05-24-ai-maintenance-cost-ratio-source-map.md]
• Relevant wiki facts: v1 readiness requires artifact/runtime/evidence bundles, not only test-green; release and wrapper flows must preserve SSoT, atomicity, idempotency, and No Silent Fallback; destructive or fix-like commands need task-scope/evidence gates; AI-generated velocity must lower future maintenance cost rather than add broad v1 scope.
• remember-wiki applicability / skip reason: skipped; target repos are JeremyDev87/* personal CLI repos, not Remember/dramancompany repos.
• Non-wiki inference: repo-specific split below is based on live local repo docs/config/workflows and npm registry checks performed before issue creation.

Quality Lens Router Output

• Applicable gate families:
  • evidence-contract: v1 readiness, package install, CLI output, release/publish, and fallback claims need concrete proof.
  • simplicity-deletability: v1 work must prefer contract/evidence gaps over broad new features or nonessential abstractions.
  • tdd-systematic-debugging: false-positive, fallback, exit-code, and packaging regressions should be fixture/test-backed.
• Skipped gates:
  • frontend-design: not-applicable; CLI/runtime/docs work only.
  • vercel-agent-skills: not-applicable; no React/Next/Vercel/mobile surface.
  • deploy-token-safety: limited; no token/deploy mutation in this issue, only release credential evidence requirements.

Evidence Contract

• Required evidence:
  • Candidate SHA/version alignment evidence when a candidate is selected.
  • Repo test evidence plus source CLI smoke.
  • npm pack / packed-install evidence for the user-consumed artifact.
  • Release workflow/check/dist-tag/GitHub Release evidence where release automation is touched.
  • Explicit fallback/unsupported-platform evidence where wrapper/native-runtime selection is touched.
• Evidence not applicable:
  • Browser screenshot/DOM: not-applicable, CLI repos.
  • Production URL: not-applicable, npm/GitHub release surface only.
• Blocking evidence gaps:
  • Final v1 version bump/tag is intentionally out of scope for this issue set.

Owned files / likely touched areas

• README.md
• README.en.md
• CONTRIBUTING.md
• SECURITY.md
• docs/roadmap.md
• docs/runtime-transition.md
• docs/npm-wrapper-runtime.md
• docs/release-operator-runbook.md

Inspect-only files

• package.json
• bin/maximus.js
• .github/workflows/**
• crates/** command output

Must not touch

• change runtime behavior without corresponding code/test issue
• claim unsupported platforms as first-class v1 support

Implementation steps

1. Synchronize command examples and validation commands.
2. Document private vulnerability route and supported versions accurately.
3. Align docs with native package matrix and JS fallback boundary.
4. Ensure release docs distinguish prerelease/stable/latest/next/v1 moving tag policy.

Parallelization note

Docs-heavy; should sequence after code/workflow contracts settle.

Dependencies / blocked by

Best final docs pass after M1-M4.

Validation / evidence required

• git diff --check
• npm run release:docs:check
• npm test when docs checks are included

Completion criteria

• Required validation evidence is pasted into the PR body or final issue comment.
• No v1 version bump/tag/publish is performed.
• If any required evidence is unavailable, the issue remains open with the gap classified as Medium/High rather than being marked complete.