docs: final cleanup and accuracy pass before public push

- Fix const inference bug: wrap inferred contracts with status-code guards
- Add integration test for status-guarded contract inference
- Tighten and deduplicate docs across verify, qualify, getting-started, cli
- Fix broken cross-references and TypeScript→JavaScript conversions
- Fix factual errors: license, Date.now(), sampling defaults, cache env
- Add missing features: --workspace, --generation-profile, json-summary formats
- Move stale extension docs (AUTH-RATE-LIMIT-REVISED, HTTP-EXTENSIONS) to attic
- Update PLUGIN_CONTRACTS_SPEC status to Implemented
- Build: clean | Tests: 849 pass, 0 fail

docs/protocol-extensions-spec.md

@@ -1,6 +1,6 @@
 # APOPHIS Protocol Extensions Specification
 
-## Status: Active design; shipped baseline: v2.x; remaining targets listed per feature
+## Status: Active design; shipped baseline: v2.0.0; remaining targets listed per feature
 
 ## 1. Overview
 
@@ -10,7 +10,7 @@ Arbiter maintains 58 protocol conformance test files covering 138 behaviors acro
 
 ### 1.1 Current Shipped vs Not-Shipped Snapshot
 
-**Shipped in v2.x:**
+**Shipped in v2.0.0:**
 
 - `contract({ variants })` for multi-header/media negotiation execution.
 - `fastify.apophis.scenario(...)` for multi-step capture/rebind flows.
@@ -166,12 +166,15 @@ jwtExtension({
 The JWT extension maintains state across a test run:
 
 ```javascript
-interface JwtExtensionState {
-  /** Track seen JTIs for replay detection */
-  seenJtis: Set<string>
-  /** Cached decoded JWTs */
-  decodedCache: Map<string, DecodedJwt>
-}
+/**
+ * JWT extension state across a test run.
+ * @property {Set<string>} seenJtis - Track seen JTIs for replay detection
+ * @property {Map<string, DecodedJwt>} decodedCache - Cached decoded JWTs
+ */
+const jwtExtensionState = {
+  seenJtis: new Set(),
+  decodedCache: new Map()
+};
 ```
 
 ### 3.5 Example Contracts
@@ -234,16 +237,19 @@ await fastify.apophis.time.set('2026-04-25T12:00:00Z');
 ### 4.4 Implementation
 
 ```javascript
-interface TimeControl {
-  /** Advance simulated time by milliseconds */
-  advance(ms: number): void
-  /** Set simulated time to specific timestamp */
-  set(isoString: string): void
-  /** Get current simulated time */
-  now(): number
-  /** Reset to real time */
-  reset(): void
-}
+/**
+ * Time control for deterministic testing.
+ * @property {function(number): void} advance - Advance simulated time by milliseconds
+ * @property {function(string): void} set - Set simulated time to specific ISO timestamp
+ * @property {function(): number} now - Get current simulated time
+ * @property {function(): void} reset - Reset to real time
+ */
+const timeControl = {
+  advance(ms) { /* ... */ },
+  set(isoString) { /* ... */ },
+  now() { return Date.now(); },
+  reset() { /* ... */ }
+};
 ```
 
 The `now()` predicate returns simulated time when time mocking is enabled, or the host wall clock outside deterministic test mode. Deterministic runs must inject or freeze time.
@@ -288,11 +294,17 @@ previous(observer).jwt_claims(this).jti               # last observer's JWT ID
 Extension state tracks tokens across requests:
 
 ```javascript
-interface StatefulExtensionState {
-  seenTokens: Set<string>
-  consumedTokens: Set<string>
-  categoryHistory: Map<string, EvalContext>  // category -> last context
-}
+/**
+ * Stateful extension state tracking tokens across requests.
+ * @property {Set<string>} seenTokens - Tokens observed in previous requests
+ * @property {Set<string>} consumedTokens - Tokens that have been consumed
+ * @property {Map<string, EvalContext>} categoryHistory - category -> last context
+ */
+const statefulExtensionState = {
+  seenTokens: new Set(),
+  consumedTokens: new Set(),
+  categoryHistory: new Map()
+};
 ```
 
 ### 5.4 Example Contracts
@@ -522,14 +534,14 @@ We acknowledge these are too complex or inappropriate for Apophis:
 
 ## 14. Implementation Plan
 
-### Phase 1: JWT + Time Control (P0)
-**Target**: v1.3.0
+### Phase 1: JWT + Time Control (P0) — Shipped in v2.0.0
+**Status**: Complete
 **Files**:
 - `src/extensions/jwt.ts` — JWT extension implementation
 - `src/extensions/time.ts` — Time control extension
 - `src/extensions/stateful.ts` — Stateful predicates extension
-- `src/test/jwt-extension.test.ts` — JWT tests
-- `src/test/time-extension.test.ts` — Time control tests
+- `src/test/protocol-extensions.test.ts` — Protocol extension tests
+- `src/test/cli/protocol-conformance-p2.test.ts` — Protocol conformance tests
 
 **Tests**:
 - Decode Base64URL claims without verification
@@ -539,27 +551,25 @@ We acknowledge these are too complex or inappropriate for Apophis:
 - `now()` predicate with mocked time
 - `apophis.time.advance()` in stateful tests
 
-### Phase 2: X.509 + SPIFFE (P1)
-**Target**: v1.3.1
+### Phase 2: X.509 + SPIFFE (P1) — Shipped in v2.0.0
+**Status**: Complete
 **Files**:
 - `src/extensions/x509.ts` — X.509 extension
 - `src/extensions/spiffe.ts` — SPIFFE extension
-- `src/test/x509-extension.test.ts` — X.509 tests
-- `src/test/spiffe-extension.test.ts` — SPIFFE tests
+- `src/test/protocol-extensions.test.ts` — Protocol extension tests
 
-### Phase 3: Token Hash + HTTP Signature (P2)
-**Target**: v1.3.2
+### Phase 3: Token Hash + HTTP Signature (P2) — Shipped in v2.0.0
+**Status**: Complete
 **Files**:
 - `src/extensions/token-hash.ts` — Token hash extension
 - `src/extensions/http-signature.ts` — HTTP signature extension
-- `src/test/token-hash-extension.test.ts` — Token hash tests
-- `src/test/http-signature-extension.test.ts` — HTTP signature tests
+- `src/test/protocol-extensions.test.ts` — Protocol extension tests
 
-### Phase 4: Request Context (P2)
-**Target**: v1.3.3
+### Phase 4: Request Context (P2) — Shipped in v2.0.0
+**Status**: Complete
 **Files**:
 - `src/extensions/request-context.ts` — Request context predicates
-- `src/test/request-context-extension.test.ts` — Request context tests
+- `src/test/protocol-extensions.test.ts` — Protocol extension tests
 
 ---