CR-035: Align backlog and status after repository hygiene

README.md

@@ -33,7 +33,7 @@ TriageCore is an early research workbench for AI-assisted software work that kee
 - bounded Qwen Cloud escalation for external-safe packets only
 
 **Planned / future-facing**
-- public release polish such as release tagging and GitHub metadata
+- public release polish such as release metadata upkeep and GitHub metadata
 - deeper environmental-edge packaging around Clear Lake Watch style workflows
 
 **Research framing**
@@ -115,7 +115,7 @@ Current in-repo proof markers:
 
 Proof markers that still depend on GitHub/release state rather than repository files:
 
-- first release tag
+- release metadata upkeep
 - GitHub About description
 - GitHub topics
 

docs/change/change_log.md

@@ -5,6 +5,7 @@ This file provides a chronological, human-readable record of applied codebase an
 *Note: For operational task and run history, consult `.triagecore/ledger.jsonl`.*
 
 ## [Unreleased]
+- Implemented CR-035 (Backlog and Status Alignment Pass): Update current backlog and README status markers after CR-034, keeping runtime integrity enforcement and identity signing expansion out of scope.
 - Implemented CR-034 (Repository Consistency and Secrets Hygiene): Align Python metadata with supported syntax, consolidate package metadata in `pyproject.toml`, expand CI's Python matrix, require environment-only Qwen API keys, reject secret-bearing persistent keys, sanitize backend HTTP errors, and add `SECURITY.md`.
 - Implemented CR-033 (Model Manifest Check CLI): Add `tc model check --manifest <path>` to validate documented route-manifest fields without probing live backends or enforcing routing yet.
 - Implemented CR-032 (Model Route Manifest Schema): Define the canonical route-manifest artifact shape, required provenance fields, and example manifests before any runtime model-integrity enforcement work.

docs/change/requests/CR-035-backlog-status-alignment-pass.md

@@ -0,0 +1,46 @@
+# CR-035: Backlog and Status Alignment Pass
+
+## Status
+
+Implemented
+
+## Scope
+
+Update documentation so the public project status matches the merged state
+after CR-034.
+
+This change:
+
+- updates `docs/current_backlog.md` to reflect the post-CR-034 state
+- adds CR-034 to the completed safety spine
+- distinguishes active identity lifecycle work, model/runtime integrity work,
+  and completed repository hygiene work
+- checks README proof markers for stale release/status language
+- records the change in the changelog
+
+## Non-Scope
+
+- Do not implement runtime integrity enforcement.
+- Do not expand signing beyond `route_audit`.
+- Do not change packaging or security behavior.
+- Do not add new runtime code.
+
+## Acceptance Criteria
+
+- [x] `docs/current_backlog.md` reflects the post-CR-034 state.
+- [x] Completed safety spine includes CR-034.
+- [x] Current recommendation distinguishes three lanes:
+  - identity lifecycle work remains under Issue #4
+  - model/runtime integrity builds on CR-031 through CR-033
+  - repository hygiene baseline from CR-034 is complete
+- [x] README has no stale claim that the first release tag is still pending.
+- [x] No runtime code changes.
+- [x] Full test suite still passes.
+
+## Validation
+
+```powershell
+python -m pytest -q
+git diff --check
+git status --short
+```

docs/current_backlog.md

@@ -2,7 +2,7 @@
 
 ## Status
 
-This document summarizes the active TriageCore backlog after CR-021 through CR-024.
+This document summarizes the active TriageCore backlog after CR-034.
 
 ## Active GitHub Backlog
 
@@ -41,23 +41,22 @@ This document summarizes the active TriageCore backlog after CR-021 through CR-0
 - CR-031: Runtime Integrity and Model Provenance Policy
 - CR-032: Model Route Manifest Schema
 - CR-033: Model Manifest Check CLI
+- CR-034: Repository Consistency and Secrets Hygiene
 
 ## Current Recommendation
 
-Keep Issue #4 open and pause signing expansion beyond `route_audit`.
-Private-key permission and consistency checks plus metadata-only signed smoke
-evidence plus identity revocation are now implemented, and rotation/recovery
-policy is now documented. Runtime rotation behavior still needs a separate
-implementation slice before adding signed event types.
-
-Treat CR-031 as the policy baseline for any future `tc model check`, route
-manifest, or backend provenance work. Runtime integrity enforcement should stay
-separate from convenience-adapter support.
-
-Treat CR-032 as the artifact contract for future runtime validation. `CR-033`
-should validate manifests against this schema instead of inventing provenance
-rules ad hoc in code.
-
-Future runtime-integrity work should build on CR-033 by adding richer
-manifests, route discovery, or backend-aware checks without collapsing policy,
-artifact shape, and live enforcement into one step.
+Keep three work lanes distinct:
+
+- Identity lifecycle work remains under Issue #4. Pause signing expansion beyond
+  `route_audit`; runtime rotation behavior still needs a separate
+  implementation slice before adding signed event types.
+- Model and runtime integrity work should build on CR-031 through CR-033. Keep
+  policy baseline, route-manifest artifact shape, manifest validation, and live
+  enforcement as separate reviewable slices.
+- Repository consistency and secrets hygiene from CR-034 is complete. Future
+  hygiene work should be limited to stale documented claims or a separately
+  proposed repo-consistency checker.
+
+The next feature-sized slice can be a runtime model-manifest enforcement
+preview, but it should not collapse policy, artifact shape, manifest validation,
+and backend probing into one change.