docs: fix stale repo URLs + refresh README for post-beta state

CHANGELOG.md

@@ -193,9 +193,9 @@ and this project adheres to [Semantic Versioning 2.0](https://semver.org/spec/v2
 ## [0.1.0-beta] — 2026-05-25
 
 First public beta. Docker image published at
-`ghcr.io/musiker15/mskanban:v0.1.0-beta`, signed via cosign keyless
+`ghcr.io/msk-scripts/mskanban:v0.1.0-beta`, signed via cosign keyless
 (GitHub OIDC), with CycloneDX + SPDX SBOMs attached to the
-[GitHub Release](https://github.com/musiker15/mskanban/releases/tag/v0.1.0-beta).
+[GitHub Release](https://github.com/MSK-Scripts/mskanban/releases/tag/v0.1.0-beta).
 All ten roadmap phases (0 – 10) complete; 56 routes; 94/94 tests
 green; `pnpm audit --prod` clean.
 
@@ -1351,6 +1351,6 @@ Verified locally
 
 - Project bootstrap. Repository initialised, documentation skeleton in place.
 
-[Unreleased]: https://github.com/musiker15/mskanban/compare/v0.1.0-beta...HEAD
-[0.1.0-beta]: https://github.com/musiker15/mskanban/compare/v0.0.0...v0.1.0-beta
-[0.0.0]: https://github.com/musiker15/mskanban/releases/tag/v0.0.0
+[Unreleased]: https://github.com/MSK-Scripts/mskanban/compare/v0.1.0-beta...HEAD
+[0.1.0-beta]: https://github.com/MSK-Scripts/mskanban/compare/v0.0.0...v0.1.0-beta
+[0.0.0]: https://github.com/MSK-Scripts/mskanban/releases/tag/v0.0.0

CLAUDE.md

@@ -966,7 +966,7 @@ volumes:
 
 ```bash
 # Einmalig:
-git clone https://github.com/musiker15/mskanban.git
+git clone https://github.com/MSK-Scripts/mskanban.git
 cd mskanban
 cp .env.development.example .env.local      # Werte sind passend zur Dev-Compose-Datei
 pnpm install

CODE_OF_CONDUCT.md

@@ -16,9 +16,9 @@ This Code of Conduct applies within all community spaces of the MSKanban project
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the project maintainers responsible for enforcement at:
 
-**conduct@musiker15.de**
+**conduct@msk-scripts.de**
 
-This inbox is separate from `security@musiker15.de` and is monitored only by the maintainers. All complaints will be reviewed and investigated promptly and fairly. All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+This inbox is separate from `security@msk-scripts.de` and is monitored only by the maintainers. All complaints will be reviewed and investigated promptly and fairly. All community leaders are obligated to respect the privacy and security of the reporter of any incident.
 
 ## Enforcement Guidelines
 

CONTRIBUTING.md

@@ -15,13 +15,13 @@ reset…) deliberately don't exist.
 ## 🧭 Where to start
 
 - **First contribution?** Look for issues tagged
-  [`good first issue`](https://github.com/musiker15/mskanban/issues?q=label%3A%22good+first+issue%22).
-- **Bug?** Open a [bug report](https://github.com/musiker15/mskanban/issues/new?template=bug.yml).
+  [`good first issue`](https://github.com/MSK-Scripts/mskanban/issues?q=label%3A%22good+first+issue%22).
+- **Bug?** Open a [bug report](https://github.com/MSK-Scripts/mskanban/issues/new?template=bug.yml).
   Include reproduction steps, expected vs. actual, version (image tag
   or git SHA), and whether you can reproduce against
   `docker/docker-compose.dev.yml`.
 - **Feature idea?** Open a
-  [feature request](https://github.com/musiker15/mskanban/issues/new?template=feature.yml)
+  [feature request](https://github.com/MSK-Scripts/mskanban/issues/new?template=feature.yml)
   and tag it `discussion` if you want feedback before writing code.
 - **Security issue?** **Do not open a public issue.** See
   [`SECURITY.md`](SECURITY.md) for private reporting.
@@ -36,7 +36,7 @@ reset…) deliberately don't exist.
 #   - pnpm 9       (corepack enable && corepack prepare pnpm@latest --activate)
 #   - Docker + Compose v2
 
-git clone https://github.com/musiker15/mskanban.git
+git clone https://github.com/MSK-Scripts/mskanban.git
 cd mskanban
 pnpm install
 
@@ -178,7 +178,7 @@ private branch and disclose coordinated. Details in
 UI strings live in `src/messages/<locale>.json`. The two seed locales
 are `en` and `de`; adding a new locale is welcome.
 
-Open a [translation issue](https://github.com/musiker15/mskanban/issues/new?template=translation.yml)
+Open a [translation issue](https://github.com/MSK-Scripts/mskanban/issues/new?template=translation.yml)
 first so we can coordinate. Or just submit a PR with the new
 `src/messages/<locale>.json` and we'll merge it.
 

README.md

@@ -4,10 +4,10 @@
 
 **Zero-knowledge, self-hostable, real-time Kanban — open source under AGPL-3.0.**
 
-[![CI](https://github.com/musiker15/mskanban/actions/workflows/ci.yml/badge.svg)](https://github.com/musiker15/mskanban/actions/workflows/ci.yml)
-[![CodeQL](https://github.com/musiker15/mskanban/actions/workflows/codeql.yml/badge.svg)](https://github.com/musiker15/mskanban/actions/workflows/codeql.yml)
+[![CI](https://github.com/MSK-Scripts/mskanban/actions/workflows/ci.yml/badge.svg)](https://github.com/MSK-Scripts/mskanban/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/MSK-Scripts/mskanban/actions/workflows/codeql.yml/badge.svg)](https://github.com/MSK-Scripts/mskanban/actions/workflows/codeql.yml)
 [![License: AGPL-3.0-or-later](https://img.shields.io/badge/License-AGPL%203.0-blue.svg)](LICENSE)
-[![Container](https://img.shields.io/badge/container-ghcr.io%2Fmusiker15%2Fmskanban-blue)](https://github.com/musiker15/mskanban/pkgs/container/mskanban)
+[![Container](https://img.shields.io/badge/container-ghcr.io%2Fmsk--scripts%2Fmskanban-blue)](https://github.com/MSK-Scripts/mskanban/pkgs/container/mskanban)
 
 </div>
 
@@ -41,8 +41,13 @@ opaque ciphertext and the metadata it strictly needs to route requests
 
 The differentiator is **zero-knowledge**: a Trello-style UX with the
 "server can't read your data" guarantee of Bitwarden / Standard Notes.
-Read the [crypto whitepaper](docs/crypto/) and the
-[threat model](docs/threat-model.md) for the details.
+Read the [zero-knowledge ADR](docs/architecture/0003-zero-knowledge-e2ee.md)
+and the [threat model](docs/threat-model.md) for the details.
+
+**Full user-facing documentation** lives at
+[**docu.msk-scripts.de/ecosystem/mskanban**](https://docu.msk-scripts.de/ecosystem/mskanban)
+— overview, installation, feature tour, REST API reference, privacy
+deep-dive, FAQ.
 
 ---
 
@@ -71,7 +76,7 @@ docker run -d --name mskanban \
   -e WEBAUTHN_RP_ID='kanban.example.com' \
   -e WEBAUTHN_RP_NAME='MSKanban' \
   -e WEBAUTHN_RP_ORIGIN='https://kanban.example.com' \
-  ghcr.io/musiker15/mskanban:latest
+  ghcr.io/msk-scripts/mskanban:latest
 ```
 
 You bring your own MariaDB (10.11+) and Redis (7+); the
@@ -81,9 +86,9 @@ together behind Apache.
 **Verify** the image before you run it (you should, every time):
 
 ```bash
-cosign verify ghcr.io/musiker15/mskanban:latest \
+cosign verify ghcr.io/msk-scripts/mskanban:latest \
   --certificate-identity-regexp \
-    'https://github.com/musiker15/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \
+    'https://github.com/MSK-Scripts/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com
 ```
 
@@ -142,21 +147,30 @@ ADRs 0003, 0004, 0007, 0009) and [`docs/threat-model.md`](docs/threat-model.md).
 ## 🧰 Feature highlights
 
 - **Boards, columns, cards** with drag-and-drop (keyboard-equivalent
-  per WCAG 2.1.1), labels, assignees, checklists, custom fields,
-  card templates.
-- **Four views per board**: Kanban / Calendar / Table / Analytics
-  (cycle time, lead time, CFD, aging WIP, throughput) — all computed
-  client-side on decrypted data.
+  per WCAG 2.1.1), labels, assignees, **start + due dates**, checklists,
+  custom fields, card templates.
+- **Milestones** group cards into deliverables with an optional date
+  window — drives the burn-down chart and timeline grouping.
+- **Five views per board**: Kanban / Calendar / **Timeline (Gantt)** /
+  Table / Analytics. Analytics ships cycle time, lead time, CFD, aging
+  WIP, throughput, **burn-down per milestone** — all computed client-
+  side on decrypted data.
 - **Real-time collaboration** via Yjs CRDTs. Card descriptions sync
-  between users; the relay server only sees ciphertext bytes.
+  between users; **board-level presence** (Yjs awareness) shows who else
+  is online with an avatar stack + per-card "is viewing" dots. The
+  relay server only sees ciphertext bytes — even presence payloads.
+- **Automation engine** ([ADR 0010](docs/architecture/0010-automation-engine.md))
+  — declarative `{when, do}` rules per board, fully E2EE. Server sees
+  only the plaintext trigger envelope (`trigger_type` + `trigger_meta`)
+  whitelisted on every write; rule bodies live in `enc_rule`.
 - **Offline-first PWA** with IndexedDB snapshot cache and a live
   online/offline indicator.
 - **Activity feed + notifications** (server-visible metadata only).
 - **Webhooks** with HMAC-SHA256 signing, SSRF guard, persistent
   delivery queue with exponential backoff + DLQ surfaced in the UI.
 - **Import** from MSKanban JSON, Trello JSON, generic CSV. **Export**
   to JSON and Markdown.
-- **2FA**: TOTP today, WebAuthn / Passkeys planned.
+- **2FA**: TOTP **and** WebAuthn / Passkeys (both shipped).
 - **GDPR**: account-level export + crypto-shred deletion baked in.
 
 ---
@@ -187,6 +201,11 @@ ADR 0006 for the reasoning.
 
 ## 📍 Status
 
+`v0.1.0-beta` — released 2026-05-24, signed via cosign keyless OIDC.
+All ten original roadmap phases shipped; post-beta features (milestones,
+timeline, presence, automation) ship under `[Unreleased]` in
+[`CHANGELOG.md`](CHANGELOG.md) and become `v0.2.0` when batched.
+
 | Phase | What | Status |
 |---|---|---|
 | 0–3 | Setup + foundation + auth + core Kanban (plaintext MVP) | ✅ |
@@ -196,7 +215,8 @@ ADR 0006 for the reasoning.
 | 7 | Analytics | ✅ |
 | 8 | Integrations & I/O (export, import, webhooks) | ✅ |
 | 9 | Hardening (CSP nonces, webhook DLQ, SBOM, Cosign) | ✅ |
-| **10** | **Public Beta** (this release) | 🟡 |
+| 10 | Public Beta (`v0.1.0-beta`) | ✅ |
+| **post-beta** | Milestones, Burn-Down, Timeline, Presence, Automation v1 | ✅ shipped, not yet tagged |
 
 Tracker, roadmap and the running design log live in
 [`CLAUDE.md`](CLAUDE.md) (German — the rest of the docs and code are

SECURITY.md

@@ -12,7 +12,7 @@ Please **do not** open a public GitHub issue for security problems.
 Report privately, in this order of preference:
 
 1. **GitHub Private Vulnerability Reporting** —
-   [github.com/musiker15/mskanban → Security → Report a vulnerability](https://github.com/musiker15/mskanban/security/advisories/new).
+   [github.com/MSK-Scripts/mskanban → Security → Report a vulnerability](https://github.com/MSK-Scripts/mskanban/security/advisories/new).
 2. **E-mail** — `security@msk-scripts.de`.
    Please encrypt sensitive details with our PGP key (fingerprint in
    `.well-known/security.txt`; the same key is published at
@@ -70,9 +70,9 @@ We sign every pushed image with `cosign sign --yes` under GitHub's OIDC
 issuer — there is no long-lived signing key to compromise. To verify:
 
 ```bash
-cosign verify ghcr.io/musiker15/mskanban:<tag> \
+cosign verify ghcr.io/msk-scripts/mskanban:<tag> \
   --certificate-identity-regexp \
-    'https://github.com/musiker15/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \
+    'https://github.com/MSK-Scripts/mskanban/\.github/workflows/release\.yml@refs/tags/.*' \
   --certificate-oidc-issuer https://token.actions.githubusercontent.com
 ```
 
@@ -85,8 +85,8 @@ Generated automatically via `actions/attest-build-provenance`. View on
 the release page's Sigstore tab, or:
 
 ```bash
-gh attestation verify oci://ghcr.io/musiker15/mskanban:<tag> \
-  --owner musiker15
+gh attestation verify oci://ghcr.io/msk-scripts/mskanban:<tag> \
+  --owner MSK-Scripts
 ```
 
 ### 3. Software Bill of Materials (CycloneDX + SPDX)
@@ -131,7 +131,7 @@ two maintainers look at it.
 ## 📜 Past Advisories
 
 See the
-[Security tab](https://github.com/musiker15/mskanban/security/advisories)
+[Security tab](https://github.com/MSK-Scripts/mskanban/security/advisories)
 for the chronological list of patched issues.
 
 — Maintainer: Moritz Kohm (`@musiker15`).

docs/deployment/mskanban.service

@@ -14,15 +14,15 @@
 
 [Unit]
 Description=MSKanban (Next.js production server)
-Documentation=https://github.com/musiker15/mskanban
+Documentation=https://github.com/msk-scripts/mskanban
 After=network-online.target mariadb.service redis-server.service
 Wants=network-online.target
 Requires=mariadb.service
 
 [Service]
 Type=simple
-User=musiker15
-Group=musiker15
+User=mskanban
+Group=mskanban
 WorkingDirectory=/opt/mskanban
 
 # `next start` (not standalone) – matches msk-shop convention

docs/public-launch.md

@@ -21,12 +21,12 @@ announcement. Anything unchecked is a release blocker.
 ## 📦 Release pipeline
 
 - [ ] Tagging `vX.Y.Z` triggers the `release.yml` workflow
-- [ ] Container pushed to `ghcr.io/musiker15/mskanban` with semver +
+- [ ] Container pushed to `ghcr.io/msk-scripts/mskanban` with semver +
       `latest` tags
-- [ ] `cosign verify ghcr.io/musiker15/mskanban:vX.Y.Z` passes
+- [ ] `cosign verify ghcr.io/msk-scripts/mskanban:vX.Y.Z` passes
       (keyless OIDC, this repo's release.yml as the trusted identity)
 - [ ] SLSA build-provenance attestation attached
-      (`gh attestation verify oci://… --owner musiker15`)
+      (`gh attestation verify oci://… --owner MSK-Scripts`)
 - [ ] `sbom.cdx.json` + `sbom.spdx.json` uploaded as release assets
 - [ ] `grype sbom:./sbom.cdx.json` shows no high/critical CVE