release: live-scoring v3 + anc 0.4.0 + post-#91 promotion

.dockerignore

@@ -8,6 +8,7 @@
 # Files COPYed by docker/score/Dockerfile (anything Dockerfile needs to see).
 !registry.yaml
 !docker/score/Dockerfile
-!docker/score/anc
+!docker/score/inject
+!docker/score/inject/anc
 !docker/score/install-tools.sh
 !docker/score/score-anc100.sh

.github/ISSUE_TEMPLATE/00-blank.yml

@@ -0,0 +1,35 @@
+name: "Blank issue"
+description: "Open an issue that doesn't fit any of the structured templates below."
+body:
+  - type: textarea
+    id: body
+    attributes:
+      label: Issue
+      description: "Describe what's going on. Include the affected URL (e.g., anc.dev/scorecards), what you observed vs expected, and any browser / device context where relevant."
+    validations:
+      required: true
+  - type: textarea
+    id: ai-disclosure
+    attributes:
+      label: AI disclosure
+      description: "One sentence: what part of this issue was AI-written, what was human-written?"
+      placeholder: "Entirely human-written."
+    validations:
+      required: true
+  - type: textarea
+    id: agent-instructions
+    attributes:
+      label: For agents
+      description: "Agents: expand this section before filing."
+      value: |
+        <details>
+        <summary>Agent filing instructions</summary>
+
+        1. **Pick a structured template first.** Site bugs have a dedicated form — use it when it fits.
+        2. **Search first.** Run `gh search issues --repo brettdavies/agentnative-site "<keywords>"` to check for duplicates.
+        3. **AI disclosure is required.** Fill the field above honestly.
+        4. **Wrong repo?** Spec questions, principle edits, and grading findings live on [brettdavies/agentnative](https://github.com/brettdavies/agentnative). `anc` checker bugs and tool-registry submissions live on [brettdavies/agentnative-cli](https://github.com/brettdavies/agentnative-cli). Skill bundle issues live on [brettdavies/agentnative-skill](https://github.com/brettdavies/agentnative-skill).
+        5. See [CONTRIBUTING.md](https://github.com/brettdavies/agentnative-site/blob/main/CONTRIBUTING.md) for full guidelines.
+        </details>
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,11 @@
 blank_issues_enabled: false
 contact_links:
-  - name: "Spec questions, principle edits, or CLI grading"
+  - name: "Spec questions, principle edits, or grading findings"
     url: "https://github.com/brettdavies/agentnative/issues/new/choose"
-    about: "For anything about the standard itself — propose changes, grade a CLI, ask questions — file on the spec repo."
-  - name: "Checker bugs (false positives/negatives)"
+    about: "For anything about the standard itself — propose changes, submit a grading finding, ask questions — file on the spec repo."
+  - name: "Checker bugs, features, or tool-registry submissions"
     url: "https://github.com/brettdavies/agentnative-cli/issues/new/choose"
-    about: "For bugs in the `anc` checker itself, file on the tool repo."
+    about: "For bugs in the `anc` checker, feature requests, or proposing a tool for the leaderboard, file on the linter repo."
+  - name: "Skill bundle issues (bundle content, install paths, host runtimes)"
+    url: "https://github.com/brettdavies/agentnative-skill/issues/new/choose"
+    about: "For bugs or proposals about the agent-facing skill bundle, file on the skill repo."

.github/pull_request_template.md

@@ -6,7 +6,7 @@
 
 <!-- CRITICAL: This section is the source of truth for CHANGELOG.md.
      generate-changelog.sh extracts these categorized bullets verbatim
-     into the release changelog. Write carefully — this IS the changelog.
+     into the release changelog. Write carefully. This IS the changelog.
 
      AUDIENCE: Users and operators. Write from their perspective.
 
@@ -20,7 +20,7 @@
 
      RULES:
 - 1-5 bullets per PR. Fewer is better. One-line fixes get one bullet.
-- Delete empty ### sections entirely — don't leave blank categories.
+- Delete empty ### sections entirely; don't leave blank categories.
 - Each bullet starts with a verb: Add, Fix, Change, Remove, Deprecate.
 - Don't duplicate the PR title — expand on it or provide context.
 - If the PR has NO user-facing changes (pure refactor, test-only, CI), leave this section empty or omit it. The PR still

.github/workflows/deep-check.yml

@@ -34,8 +34,17 @@
 # Not a PR gate — PR merge is governed by ci.yml. Failures here show up
 # in the Actions tab and (for dispatch-with-ref runs) as a commit status.
 #
-# Secrets: none required. The LHCI step uses the default GITHUB_TOKEN so
-# it can post a commit status (requires statuses:write, granted below).
+# Secrets:
+#   CLOUDFLARE_API_TOKEN / CLOUDFLARE_ACCOUNT_ID — passed to `wrangler dev`
+#     (used by both Playwright's webServer and lighthouse-ci). wrangler 4.x
+#     authenticates to the Cloudflare managed registry to read the
+#     container image manifest even under `--local`, so without these the
+#     dev server fails with "Not logged in". The same secrets that
+#     `deploy.yml` already passes — no new provisioning. Introduced after
+#     the container image moved off Docker Hub to the CF managed
+#     registry in PR #84 (U3-followup); the LHCI step uses the default
+#     GITHUB_TOKEN to post a commit status (requires statuses:write,
+#     granted below).
 
 name: deep-check
 
@@ -171,6 +180,14 @@ jobs:
         run: bun run build
 
       - name: End-to-end tests (all projects)
+        # CLOUDFLARE_API_TOKEN + CLOUDFLARE_ACCOUNT_ID let `wrangler dev`
+        # (spun up by playwright.config.ts's webServer) read the
+        # container image manifest from the CF managed registry. Without
+        # them, wrangler 4.x errors with "Not logged in" before Playwright
+        # can connect.
+        env:
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}
         run: bun run test:e2e
 
       - name: Upload Playwright artifacts on failure
@@ -218,3 +235,8 @@ jobs:
         env:
           LHCI_GITHUB_APP_TOKEN: ${{ secrets.LHCI_GITHUB_APP_TOKEN }}
           LHCI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # `wrangler dev` (started by lighthouserc as the local server)
+          # needs CF auth to read the container image manifest from the
+          # CF managed registry, same as the e2e job above.
+          CLOUDFLARE_API_TOKEN: ${{ secrets.CF_API_TOKEN }}
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CF_ACCOUNT_ID }}

.github/workflows/deploy.yml

@@ -98,6 +98,12 @@ jobs:
           accountId: ${{ secrets.CF_ACCOUNT_ID }}
           command: deploy --env staging
 
+      - name: Smoke /api/score (registry-fast-path)
+        env:
+          CF_ACCESS_CLIENT_ID: ${{ secrets.ANC_STAGING_ACCESS_CLIENT_ID }}
+          CF_ACCESS_CLIENT_SECRET: ${{ secrets.ANC_STAGING_ACCESS_CLIENT_SECRET }}
+        run: scripts/smoke-api-score.sh https://agentnative-site-staging.brettdavies.workers.dev
+
   production:
     name: build + deploy production
     if: >-

.gitignore

@@ -1,6 +1,12 @@
 .DS_Store
 node_modules/
 .env
+# wrangler's local-secrets file (per-env variants also covered). Holds
+# secrets like TURNSTILE_SECRET for `wrangler dev --local`. Never commit
+# even when the value is a public Cloudflare test secret — keeping the
+# habit tight beats explaining the exception.
+.dev.vars
+.dev.vars.*
 .context/
 # docs/solutions/ is a symlink to ~/dev/solutions-docs (see AGENT.md).
 # Ignore that specific subpath; docs/design/ and any other future docs/
@@ -23,9 +29,8 @@ playwright-report/
 .gstack/
 .aider*
 
-# Docker batch-scorer staging area — the anc binary is built per-run from
-# the local CLI checkout (not committed); per-run logs land in out/.
-/docker/score/anc
+# Docker batch-scorer staging area — per-run logs land in out/. The
+# inject binary (docker/score/inject/anc) is gitignored separately above.
 /docker/score/out/
 
 # Vale baseline packs — downloaded by `vale sync` from the URLs in .vale.ini's
@@ -34,3 +39,7 @@ playwright-report/
 /styles/proselint/
 /styles/write-good/
 /styles/.vale-config/
+
+# Injected anc binary (docker/score/build.sh --from-source). Populated at
+# build time, never committed.
+docker/score/inject/anc

BRAND.md

@@ -16,7 +16,7 @@ and artifacts in its own `PRODUCT.md`.
   here is the failure mode if you don't, here is the canonical fix." The point of view is what makes the standard worth
   citing.
 - **Precise.** RFC 2119 language. Anchors stable and citable. Numbers measured, not asserted. Where a contract has a
-  canonical realization (a flag spelling, an exit code, a path), it is named explicitly.
+  canonical realization (a flag spelling, an exit code, a path), the standard names it explicitly.
 - **Inviting.** The reader (or agent handler) keeps reading by design. That comes from details: typography that rewards
   a slow read, prose that rewards a fast scan, code blocks that read like reference material a reader can trust.
   Inviting is not "friendly" and it is not "marketing." It rewards engagement.

CONTRIBUTING.md

@@ -0,0 +1,121 @@
+# Contributing to `agentnative-site`
+
+This is the source for [anc.dev](https://anc.dev): the rendered spec, the live leaderboard, the live-scoring loop, the
+per-tool scorecard pages, the badge surface, and the skill-distribution endpoint. Principle-level discussion belongs in
+the [spec repo](https://github.com/brettdavies/agentnative); scoring-engine work belongs in the
+[CLI repo](https://github.com/brettdavies/agentnative-cli). For visitor-facing cross-repo navigation, see
+[`anc.dev/contribute`](https://anc.dev/contribute).
+
+## Contribution tiers
+
+The site accepts three shapes of contribution. All three are welcome; none required. Site work skews toward Tier 3
+because the site is the public surface. Most improvements are concrete code or copy changes.
+
+| Tier            | Shape                                                                                                                                             | Intake                                                                                         | Effort   |
+| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -------- |
+| **1. Signal**   | Site bug, rendering issue, broken link, copy critique, mobile-layout regression, performance regression                                           | [`site-bug`](https://github.com/brettdavies/agentnative-site/issues/new?template=site-bug.yml) | ~5 min   |
+| **2. Proposal** | A new page or section, a scorecard renderer rework, a Worker route addition, a build-pipeline change, a live-scoring surface change               | Issue with the design before opening a PR                                                      | ~1-2 hrs |
+| **3. Code**     | Site copy or design polish, scorecard renderer improvements, Worker route or header work, build-pipeline work, accessibility fixes, OG image work | PR against `dev`; `release/<YYYY-MM-DD>-<slug>` cut from `main` for deploys                    | Variable |
+
+**Scorecard submissions** (adding a tool to the leaderboard at [`/scorecards`](https://anc.dev/scorecards)) go through
+the cli repo's
+[`add-tool-to-registry`](https://github.com/brettdavies/agentnative-cli/issues/new?template=add-tool-to-registry.yml)
+template, not a PR here. The site renders what the registry contains; the registry lives in the cli repo. The spec
+repo's `grading-finding` template is a separate path for spec-feedback derived from scoring, not for registry
+submissions.
+
+**Response expectations:** Tier 1 and Tier 2 are welcome and get a substantive reply when time allows. Tier 3 PRs are
+reviewed when scope and time permit. A solo maintainer cannot promise merge windows; real PRs land.
+
+## Branch model
+
+```text
+feat/* → PR to dev (squash merge)
+       → cherry-pick to release/<YYYY-MM-DD>-<slug>
+       → PR release/* to main (squash merge)
+       → deploy.yml fires on push-to-main → Cloudflare Workers production
+```
+
+`dev` is the integration branch. `main` is what `anc.dev` serves. There are no tags or semver versions; the site deploys
+continuously via Cloudflare's `deploy.yml` on push-to-main. Engineering docs (`docs/plans/`, `docs/solutions/`,
+`docs/brainstorms/`, `docs/reviews/`) live on `dev` only and are blocked from `main` by `guard-main-docs.yml`.
+
+## Dev setup
+
+```bash
+git clone https://github.com/brettdavies/agentnative-site && cd agentnative-site
+bun install
+bun run build              # produces dist/
+bun run dev                # local dev server with hot reload
+bun x playwright test      # end-to-end suite
+```
+
+Worker dev against the staging bindings:
+
+```bash
+wrangler dev --env staging
+```
+
+The site uses Cloudflare Workers, Durable Objects (Sandbox for live scoring), R2 (score cache), and KV (kill switch +
+rate limits). The full binding inventory is in [`wrangler.jsonc`](./wrangler.jsonc).
+
+## Pre-push hook
+
+The repo ships a pre-push hook that mirrors CI plus the prose-check stages CI doesn't run. Activate once after clone:
+
+```bash
+git config core.hooksPath scripts/hooks
+```
+
+Seven stages:
+
+1. **lint** (`biome check` + `markdownlint-cli2`)
+2. **build** (`bun src/build/build.mjs`)
+3. **tests** (`bun test`, unit + regression)
+4. **wrangler dry-run** (`wrangler deploy --dry-run`, config + bundle validation)
+5. **pack-README drift** (`bun scripts/generate-pack-readme.mjs site --check`)
+6. **banned-fonts** (`bash scripts/check-banned-fonts.sh`, deployment-layer scan against `styles/site/BannedFonts.yml`)
+7. **prose-check** (`bash scripts/prose-check.sh`, Vale plus LanguageTool when reachable; skips cleanly otherwise)
+
+PRs that pass the hook locally also pass CI for stages 1-4; stages 5-7 are pre-push-only. Fix locally before pushing.
+
+## Pull requests
+
+- **Title format:** [Conventional Commits](https://www.conventionalcommits.org/) (`type(scope): description`). The PR
+  title becomes the squash-merge commit subject.
+- **Body:** follow [`.github/pull_request_template.md`](.github/pull_request_template.md). The `## Changelog` section
+  captures user-visible changes for the eventual release-PR `CHANGELOG.md` entry.
+- **Tests:** new pages ship a regression test that asserts the rendered HTML contains expected anchors and the markdown
+  twin renders. Worker routes ship unit tests under `tests/`; e2e tests live under `tests/e2e/`.
+- **Voice:** site copy passes the prose-check stack: Vale custom rule packs (brand + spec channel) plus the `/unslop`
+  floor. Run `scripts/prose-check.sh --changed-only` during authoring.
+
+## Releases
+
+Cuts are CalVer date-prefixed, slugged per change: `release/2026-05-21-show-hn-cut`, `release/2026-04-30-routing-fix`,
+etc. Cherry-pick from `dev` to the release branch, open the PR against `main`, merge via squash. `deploy.yml` fires on
+push-to-main and reaches `anc.dev` within ~2 minutes. The full procedure lives in [`RELEASES.md`](./RELEASES.md).
+
+## AI disclosure
+
+Inherits from the spec's AI disclosure policy. See
+[agentnative/CONTRIBUTING.md § AI disclosure policy](https://github.com/brettdavies/agentnative/blob/main/CONTRIBUTING.md#ai-disclosure-policy).
+
+## Security
+
+Do not file security issues in the public tracker. Use the
+[GitHub private security advisories channel](https://github.com/brettdavies/agentnative-site/security/advisories/new).
+The Sandbox container, the Worker, and the R2 cache are the primary surfaces of concern.
+
+## License
+
+See [`LICENSE`](./LICENSE).
+
+## Cross-repo navigation
+
+The full visitor-facing menu lives at [`anc.dev/contribute`](https://anc.dev/contribute). Per-repo intakes:
+
+- [Spec](https://github.com/brettdavies/agentnative): principle text, pressure-tests, versioning policy
+- [Linter](https://github.com/brettdavies/agentnative-cli): `anc`, the scoring engine, the registry
+- This repo: the site, the leaderboard renderer, the live-scoring loop
+- [Skill bundle](https://github.com/brettdavies/agentnative-skill): agent-facing bundle, install paths