From 5d021dbaea088112d87034f5a7c7143ae4be1ad3 Mon Sep 17 00:00:00 2001
From: Pulkit Pareek <pulkitpareek18@gmail.com>
Date: Fri, 15 May 2026 16:59:01 +0530
Subject: [PATCH] =?UTF-8?q?chore:=20rename=20pulkitpareek18/ZeroAuth=20?=
 =?UTF-8?q?=E2=86=92=20zeroauth-dev/ZeroAuth=20in=20docs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Repo transferred from personal GitHub account to the new
zeroauth-dev organization. This commit refreshes hard-coded
references in markdown, HTML, YAML, and config so links don't
rely on the GitHub auto-redirect indefinitely.

No code or behavior changes — only string replacements.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/ISSUE_TEMPLATE/bug_report.yml      |  2 +-
 .github/ISSUE_TEMPLATE/config.yml          |  4 +--
 .github/ISSUE_TEMPLATE/feature_request.yml |  2 +-
 CONTRIBUTING.md                            |  6 ++--
 README.md                                  |  8 ++---
 adr/0004-governance-in-separate-repo.md    | 14 ++++-----
 adr/0005-adopt-nodemailer-for-smtp.md      | 10 +++----
 adr/0006-verifier-typescript-not-rust.md   | 14 ++++-----
 docs/design/verifier-service-split.md      | 18 ++++++------
 docs/threat_model.md                       |  2 +-
 public/index.html                          | 18 ++++++------
 qa-log/2026-05-13.md                       |  8 ++---
 qa-log/2026-05-14.md                       |  4 +--
 qa-log/2026-05-15.md                       |  4 +--
 qa-log/W01-engineering-annex.md            | 34 +++++++++++-----------
 qa-log/security-review-pr22.md             |  2 +-
 src/services/email-templates.ts            |  4 +--
 verifier/README.md                         |  4 +--
 website/docusaurus.config.ts               |  4 +--
 19 files changed, 81 insertions(+), 81 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index fdf7ddd..0112a32 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -6,7 +6,7 @@ body:
     attributes:
       value: |
         Thanks for taking the time to file a bug report. **Security
-        vulnerabilities should not be reported here** — see [SECURITY.md](https://github.com/pulkitpareek18/ZeroAuth/blob/main/SECURITY.md).
+        vulnerabilities should not be reported here** — see [SECURITY.md](https://github.com/zeroauth-dev/ZeroAuth/blob/main/SECURITY.md).
 
   - type: textarea
     id: description
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
index c968ced..598102a 100644
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -1,11 +1,11 @@
 blank_issues_enabled: false
 contact_links:
   - name: Security vulnerability
-    url: https://github.com/pulkitpareek18/ZeroAuth/blob/main/SECURITY.md
+    url: https://github.com/zeroauth-dev/ZeroAuth/blob/main/SECURITY.md
     about: Please report security issues privately, not as a public issue.
   - name: Documentation
     url: https://zeroauth.dev/docs/
     about: Browse the full hosted documentation site.
   - name: Discussions
-    url: https://github.com/pulkitpareek18/ZeroAuth/discussions
+    url: https://github.com/zeroauth-dev/ZeroAuth/discussions
     about: Ask questions or propose changes before opening an issue.
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
index 8b597e5..f2eb7b3 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -6,7 +6,7 @@ body:
     attributes:
       value: |
         For broader proposals, consider opening a
-        [discussion](https://github.com/pulkitpareek18/ZeroAuth/discussions)
+        [discussion](https://github.com/zeroauth-dev/ZeroAuth/discussions)
         first so we can align on scope.
 
   - type: textarea
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 52ae99c..ee44140 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -5,11 +5,11 @@ welcome bug reports, fixes, integrations, and ideas.
 
 ## Ways to contribute
 
-- **Found a bug?** Open an [issue](https://github.com/pulkitpareek18/ZeroAuth/issues/new).
+- **Found a bug?** Open an [issue](https://github.com/zeroauth-dev/ZeroAuth/issues/new).
   Include reproduction steps, expected vs. actual behaviour, and your
   environment (`node -v`, OS, Docker version).
 - **Have a feature in mind?** Start a
-  [discussion](https://github.com/pulkitpareek18/ZeroAuth/discussions) before
+  [discussion](https://github.com/zeroauth-dev/ZeroAuth/discussions) before
   opening a PR — we'd rather agree on direction first.
 - **Found a security vulnerability?** **Do not** open a public issue. See
   [SECURITY.md](SECURITY.md).
@@ -17,7 +17,7 @@ welcome bug reports, fixes, integrations, and ideas.
 ## Development setup
 
 ```bash
-git clone https://github.com/pulkitpareek18/ZeroAuth.git
+git clone https://github.com/zeroauth-dev/ZeroAuth.git
 cd ZeroAuth
 npm run setup                       # installs all workspaces, builds everything
 cp .env.example .env                # local env (uses Base Sepolia testnet by default)
diff --git a/README.md b/README.md
index 1c10b1e..533139e 100644
--- a/README.md
+++ b/README.md
@@ -22,9 +22,9 @@
   </p>
 
   <p>
-    <a href="https://github.com/pulkitpareek18/ZeroAuth/blob/main/LICENSE"><img src="https://img.shields.io/github/license/pulkitpareek18/ZeroAuth?color=blue" alt="License" /></a>
-    <a href="https://github.com/pulkitpareek18/ZeroAuth/stargazers"><img src="https://img.shields.io/github/stars/pulkitpareek18/ZeroAuth?style=flat" alt="Stars" /></a>
-    <a href="https://github.com/pulkitpareek18/ZeroAuth/issues"><img src="https://img.shields.io/github/issues/pulkitpareek18/ZeroAuth" alt="Issues" /></a>
+    <a href="https://github.com/zeroauth-dev/ZeroAuth/blob/main/LICENSE"><img src="https://img.shields.io/github/license/zeroauth-dev/ZeroAuth?color=blue" alt="License" /></a>
+    <a href="https://github.com/zeroauth-dev/ZeroAuth/stargazers"><img src="https://img.shields.io/github/stars/zeroauth-dev/ZeroAuth?style=flat" alt="Stars" /></a>
+    <a href="https://github.com/zeroauth-dev/ZeroAuth/issues"><img src="https://img.shields.io/github/issues/zeroauth-dev/ZeroAuth" alt="Issues" /></a>
     <img src="https://img.shields.io/badge/node-%3E%3D20-brightgreen" alt="Node 20+" />
     <img src="https://img.shields.io/badge/typescript-strict-blue" alt="TypeScript strict" />
     <img src="https://img.shields.io/badge/zk-Groth16-purple" alt="Groth16" />
@@ -125,7 +125,7 @@ Full API reference at [zeroauth.dev/docs/reference/api-reference](https://zeroau
 ### Run it yourself (Docker, ~2 minutes)
 
 ```bash
-git clone https://github.com/pulkitpareek18/ZeroAuth.git
+git clone https://github.com/zeroauth-dev/ZeroAuth.git
 cd ZeroAuth
 cp .env.example .env       # generates fresh secrets via scripts/deploy.sh
 ./scripts/deploy.sh dev
diff --git a/adr/0004-governance-in-separate-repo.md b/adr/0004-governance-in-separate-repo.md
index 1d35b63..e751228 100644
--- a/adr/0004-governance-in-separate-repo.md
+++ b/adr/0004-governance-in-separate-repo.md
@@ -1,4 +1,4 @@
-# ADR-0004 — Split governance docs into a separate repo (`pulkitpareek18/ZeroAuth-Governance`)
+# ADR-0004 — Split governance docs into a separate repo (`zeroauth-dev/ZeroAuth-Governance`)
 
 ## Status
 
@@ -23,12 +23,12 @@ The reasons we revisited:
 
 1. **The DPDP §8(7) breach-notification procedure was unwritten.** No document anywhere named which lawyer gets called, in what time window, with what information. That's a legal-teeth gap, not a hygiene gap. It has to land somewhere; writing it in a code repo would mix legal blast radius with engineering blast radius.
 2. **Compliance mappings have multiple-regulator scope.** A DPDP / IRDAI / RBI / MeitY mapping is read by auditors and a buyer's security team. Forcing them to clone a TypeScript repo to find it is friction at exactly the wrong moment in a pilot conversation.
-3. **The canonical threat model needs a stable URL** before repo #2 (verifier, B02, Week 2) exists. If the verifier's component threat model points at `pulkitpareek18/ZeroAuth/docs/threat_model.md`, the link rots the moment we split the verifier; if it points at a governance repo, the URL is stable forever.
+3. **The canonical threat model needs a stable URL** before repo #2 (verifier, B02, Week 2) exists. If the verifier's component threat model points at `zeroauth-dev/ZeroAuth/docs/threat_model.md`, the link rots the moment we split the verifier; if it points at a governance repo, the URL is stable forever.
 4. **Two-reviewer enforcement is easier with a dedicated repo.** Path-globbed CODEOWNERS in a code repo gets bypassed under deadline pressure ("just merge the policy change inline, fix it later"). A standalone repo where every PR is *by definition* a policy change makes the discipline mechanical.
 
 ## Decision
 
-Create `pulkitpareek18/ZeroAuth-Governance` as a separate public GitHub repo with the structure from `governance_CLAUDE.md`:
+Create `zeroauth-dev/ZeroAuth-Governance` as a separate public GitHub repo with the structure from `governance_CLAUDE.md`:
 
 - `docs/shared/{security-policy, coding-standards, naming-conventions, incident-response, breach-notification}.md`
 - `docs/threat-model/{canonical, api, verifier, iot, sdk, dashboard}.md`
@@ -41,7 +41,7 @@ Create `pulkitpareek18/ZeroAuth-Governance` as a separate public GitHub repo wit
 
 The repo is **public**, CC-BY-4.0 licensed — same posture as the main `ZeroAuth` repo. The audit story benefits from open visibility.
 
-This repo (`pulkitpareek18/ZeroAuth`) keeps:
+This repo (`zeroauth-dev/ZeroAuth`) keeps:
 
 - `CLAUDE.md` — the constitution for this repo, links to the canonical shared docs
 - `docs/api_contract.md` — API-specific contract (won't move)
@@ -53,7 +53,7 @@ This repo (`pulkitpareek18/ZeroAuth`) keeps:
 
 - **Positive — DPDP §8(7) procedure now exists.** Written down, with named counsel contacts (TODO entries where contacts aren't confirmed yet). Drillable. Reviewable.
 - **Positive — auditor-friendly surface.** A buyer's security team can clone one repo and read every policy without slogging through TypeScript. The W08 evidence-pack assembler from the operational suite reads from `evidence-pack-sources/CHECKSUMS.md` cleanly.
-- **Positive — stable URLs across the 8-week build.** When B02 (verifier, Week 2), B03 (IoT, Week 3), B04 (SDK, Week 5) split out, they all link to `github.com/pulkitpareek18/ZeroAuth-Governance/blob/main/docs/threat-model/canonical.md` — that URL doesn't move.
+- **Positive — stable URLs across the 8-week build.** When B02 (verifier, Week 2), B03 (IoT, Week 3), B04 (SDK, Week 5) split out, they all link to `github.com/zeroauth-dev/ZeroAuth-Governance/blob/main/docs/threat-model/canonical.md` — that URL doesn't move.
 - **Positive — two-reviewer rule is mechanical.** CODEOWNERS in the governance repo names both Pulkit and Amit on `/docs/shared/` and `/docs/compliance/`. Counsel review is enforced manually (counsel doesn't have GitHub access) by a note in the PR description before merge.
 - **Negative — two repos to clone on a fresh dev machine.** Mitigated: `scripts/setup-dev.sh` (TODO) will clone both side by side.
 - **Negative — cross-repo links rot more easily than same-repo links.** Mitigated by `markdown-link-check` CI on every PR in both repos.
@@ -81,8 +81,8 @@ The governance repo doesn't get folded back into the API repo. The split is mono
 
 - B06 build prompt: `zeroauth_prompt_suite/04_development_suite/02_claude_code_dev/build_prompts/B06_governance_repo_bootstrap.md`
 - Governance constitution: `zeroauth_prompt_suite/04_development_suite/02_claude_code_dev/CLAUDE_md/governance_CLAUDE.md`
-- New repo: <https://github.com/pulkitpareek18/ZeroAuth-Governance>
-- Canonical threat model (new home): <https://github.com/pulkitpareek18/ZeroAuth-Governance/blob/main/docs/threat-model/canonical.md>
+- New repo: <https://github.com/zeroauth-dev/ZeroAuth-Governance>
+- Canonical threat model (new home): <https://github.com/zeroauth-dev/ZeroAuth-Governance/blob/main/docs/threat-model/canonical.md>
 - Brainstorm session on Day 3 (Wed May 13 2026) weighing collapsed vs separate repo: this conversation
 
 ---
diff --git a/adr/0005-adopt-nodemailer-for-smtp.md b/adr/0005-adopt-nodemailer-for-smtp.md
index 002264e..0339940 100644
--- a/adr/0005-adopt-nodemailer-for-smtp.md
+++ b/adr/0005-adopt-nodemailer-for-smtp.md
@@ -6,9 +6,9 @@ Accepted
 
 ## Context
 
-[Issue #27](https://github.com/pulkitpareek18/ZeroAuth/issues/27) (F-2 from PR #22 security review) needs email infrastructure to close the email-enumeration finding properly. Beyond that single fix, several pending workstreams converge on "we need transactional email":
+[Issue #27](https://github.com/zeroauth-dev/ZeroAuth/issues/27) (F-2 from PR #22 security review) needs email infrastructure to close the email-enumeration finding properly. Beyond that single fix, several pending workstreams converge on "we need transactional email":
 
-- **Breach-notification procedure** in `pulkitpareek18/ZeroAuth-Governance: docs/shared/breach-notification.md` step §3 requires emailing every affected tenant within 6 hours of confirmation — currently has no implementation
+- **Breach-notification procedure** in `zeroauth-dev/ZeroAuth-Governance: docs/shared/breach-notification.md` step §3 requires emailing every affected tenant within 6 hours of confirmation — currently has no implementation
 - **Password reset flow** — entirely missing today; we ship console accounts with no recovery path
 - **Welcome email on signup** — minor UX win, plus a server-side signal that the address is real
 - **"Someone tried to sign up with your email" notice** — security signal for legitimate account holders, partial mitigation for F-2 enumeration
@@ -57,7 +57,7 @@ Adopt **`nodemailer` v8.x** (latest stable, MIT-0 licensed) as the SMTP transpor
 
 ## Threat model delta
 
-- New egress to `smtp-relay.brevo.com:587` from the API process. Update `pulkitpareek18/ZeroAuth-Governance: docs/threat-model/canonical.md` to add A-V06 (SMTP credential exfiltration / Brevo account takeover risk) — tracked as a follow-up.
+- New egress to `smtp-relay.brevo.com:587` from the API process. Update `zeroauth-dev/ZeroAuth-Governance: docs/threat-model/canonical.md` to add A-V06 (SMTP credential exfiltration / Brevo account takeover risk) — tracked as a follow-up.
 
 ## Operational notes
 
@@ -71,8 +71,8 @@ Adopt **`nodemailer` v8.x** (latest stable, MIT-0 licensed) as the SMTP transpor
 - nodemailer source: <https://github.com/nodemailer/nodemailer>
 - nodemailer license (MIT-0): <https://github.com/nodemailer/nodemailer/blob/master/LICENSE>
 - Brevo SMTP docs: <https://developers.brevo.com/docs/smtp-integration>
-- DPDP §8(7) breach-notification procedure that depends on this: `pulkitpareek18/ZeroAuth-Governance: docs/shared/breach-notification.md`
-- Issue this unblocks: <https://github.com/pulkitpareek18/ZeroAuth/issues/27>
+- DPDP §8(7) breach-notification procedure that depends on this: `zeroauth-dev/ZeroAuth-Governance: docs/shared/breach-notification.md`
+- Issue this unblocks: <https://github.com/zeroauth-dev/ZeroAuth/issues/27>
 
 ---
 
diff --git a/adr/0006-verifier-typescript-not-rust.md b/adr/0006-verifier-typescript-not-rust.md
index d916fad..2da7631 100644
--- a/adr/0006-verifier-typescript-not-rust.md
+++ b/adr/0006-verifier-typescript-not-rust.md
@@ -20,13 +20,13 @@ The plan-mode doc's §3.3 recommended **Plan A**. Pulkit picked **Plan B** on Th
 
 ## Decision
 
-The Groth16 verifier ships as **`@zeroauth/verifier`, an npm workspace inside `pulkitpareek18/ZeroAuth`**, written in TypeScript on top of `snarkjs`. It runs as a separate Docker container (`zeroauth-verifier`) bound to `127.0.0.1:3001` on the Docker network. The API container reaches it via HTTP — never inline anymore.
+The Groth16 verifier ships as **`@zeroauth/verifier`, an npm workspace inside `zeroauth-dev/ZeroAuth`**, written in TypeScript on top of `snarkjs`. It runs as a separate Docker container (`zeroauth-verifier`) bound to `127.0.0.1:3001` on the Docker network. The API container reaches it via HTTP — never inline anymore.
 
 Shipped in three PRs today:
 
-- [PR #35](https://github.com/pulkitpareek18/ZeroAuth/pull/35) — Dockerfile `verifier-build` + `verifier-production` stages, compose service, `VERIFIER_URL` wired into the API's environment.
-- [PR #36](https://github.com/pulkitpareek18/ZeroAuth/pull/36) — Healthcheck hotfix (`localhost` → `127.0.0.1` because alpine busybox `wget` hits IPv6 first).
-- [PR #37](https://github.com/pulkitpareek18/ZeroAuth/pull/37) — SQLite append-only audit log + hash chain (the design doc §4.3 component).
+- [PR #35](https://github.com/zeroauth-dev/ZeroAuth/pull/35) — Dockerfile `verifier-build` + `verifier-production` stages, compose service, `VERIFIER_URL` wired into the API's environment.
+- [PR #36](https://github.com/zeroauth-dev/ZeroAuth/pull/36) — Healthcheck hotfix (`localhost` → `127.0.0.1` because alpine busybox `wget` hits IPv6 first).
+- [PR #37](https://github.com/zeroauth-dev/ZeroAuth/pull/37) — SQLite append-only audit log + hash chain (the design doc §4.3 component).
 
 The inline-`snarkjs` fallback in `src/services/zkp.ts` **stays in the codebase for two more weeks** as a safety net while the verifier service soaks in production. It activates only when `VERIFIER_URL` is unset (which never happens in prod — the value is hard-set in `docker-compose.yml`'s `environment:` block). Retirement is scheduled for end of Week 4 of the build cycle (~2026-06-08), as a separate PR.
 
@@ -52,7 +52,7 @@ Single-engineer velocity. The Rust path was the brainstorm's recommendation when
 - **No reproducible build provenance** for the verifier image. Docker `buildx --provenance --sbom` would produce signed attestations, but the `better-sqlite3` native build (alpine arm64-musl has no prebuilt → node-gyp compile via apk-added python+make+g++) is non-deterministic. The audit story is therefore "trust the image" not "verify the image's bytes." Acceptable for v0; this is the single biggest delta vs Plan A.
 - **Larger transitive surface.** snarkjs has ~12 transitive deps vs arkworks' ~6. Each is JS, MIT-licensed, audited; but the larger surface is real.
 - **`cryptographer-reviewer` subagent calibration** assumes Rust + arkworks per its current spec. The subagent works against snarkjs too (it's just JS) but the review is less precise — Rust's type system catches a class of memory-safety bugs the reviewer can stop looking for. With snarkjs, the reviewer has to reason about JS-level invariants. Documented in the subagent's known-limitations section (TBD).
-- **No `--unsafe` audit story.** TypeScript has no equivalent of Rust's `unsafe` block, so the "no unsafe without an ADR" rule in B02's quality bar doesn't transfer. The closest analog is "no `any` in exported signatures + no `dangerouslySetInnerHTML` in user-rendering code" which is already in our [`coding-standards.md`](https://github.com/pulkitpareek18/ZeroAuth-Governance/blob/main/docs/shared/coding-standards.md).
+- **No `--unsafe` audit story.** TypeScript has no equivalent of Rust's `unsafe` block, so the "no unsafe without an ADR" rule in B02's quality bar doesn't transfer. The closest analog is "no `any` in exported signatures + no `dangerouslySetInnerHTML` in user-rendering code" which is already in our [`coding-standards.md`](https://github.com/zeroauth-dev/ZeroAuth-Governance/blob/main/docs/shared/coding-standards.md).
 - **Container image size is bigger.** Alpine + node + snarkjs + better-sqlite3 → ~140MB. A static Rust binary would be ~20MB. We're not bandwidth-constrained at single-VPS scale; revisit if/when we go multi-region.
 
 ### Neutral
@@ -85,8 +85,8 @@ If during the soak window any verifier failure mode surfaces that we can't fix f
 
 - Plan-mode design doc: [`docs/design/verifier-service-split.md`](../docs/design/verifier-service-split.md)
 - B02 build prompt (rejected path): `zeroauth_prompt_suite/04_development_suite/02_claude_code_dev/build_prompts/B02_verifier_service_bootstrap.md`
-- Issue tracking: [#35](https://github.com/pulkitpareek18/ZeroAuth/pull/35), [#36](https://github.com/pulkitpareek18/ZeroAuth/pull/36), [#37](https://github.com/pulkitpareek18/ZeroAuth/pull/37)
-- Component threat model (to be promoted from stub in the governance repo): `pulkitpareek18/ZeroAuth-Governance: docs/threat-model/verifier.md`
+- Issue tracking: [#35](https://github.com/zeroauth-dev/ZeroAuth/pull/35), [#36](https://github.com/zeroauth-dev/ZeroAuth/pull/36), [#37](https://github.com/zeroauth-dev/ZeroAuth/pull/37)
+- Component threat model (to be promoted from stub in the governance repo): `zeroauth-dev/ZeroAuth-Governance: docs/threat-model/verifier.md`
 
 ---
 
diff --git a/docs/design/verifier-service-split.md b/docs/design/verifier-service-split.md
index c35cb94..24ee481 100644
--- a/docs/design/verifier-service-split.md
+++ b/docs/design/verifier-service-split.md
@@ -60,7 +60,7 @@ This is the decision Pulkit needs to make before Thursday morning. I lay out bot
 
 ### 3.1 Plan A — full B02 (Rust verifier in its own repo)
 
-**Repo:** new `pulkitpareek18/ZeroAuth-Verifier` (public, MIT, Rust).
+**Repo:** new `zeroauth-dev/ZeroAuth-Verifier` (public, MIT, Rust).
 
 **What gets built:**
 
@@ -99,7 +99,7 @@ This is the decision Pulkit needs to make before Thursday morning. I lay out bot
 
 ### 3.2 Plan B — TypeScript split into a sub-workspace (the pragmatic shortcut)
 
-**Repo:** stays in `pulkitpareek18/ZeroAuth`. New directory `verifier/` becomes a separate npm workspace.
+**Repo:** stays in `zeroauth-dev/ZeroAuth`. New directory `verifier/` becomes a separate npm workspace.
 
 **What gets built:**
 
@@ -132,7 +132,7 @@ I need one of:
 
 - **A.** "Go Plan A (Rust separate repo)." → tomorrow I scaffold the Rust crate.
 - **B.** "Go Plan B (TypeScript workspace)." → tomorrow I peel the Node code into `verifier/`.
-- **C.** "Hold — start B02 next week as the brainstorm says, do something else Thursday." → I roll Thursday into closing PR #22's three Mediums (issue [#26](https://github.com/pulkitpareek18/ZeroAuth/issues/26)) and the W05 review prep.
+- **C.** "Hold — start B02 next week as the brainstorm says, do something else Thursday." → I roll Thursday into closing PR #22's three Mediums (issue [#26](https://github.com/zeroauth-dev/ZeroAuth/issues/26)) and the W05 review prep.
 
 If no decision by EOD Wednesday, default = C (defer).
 
@@ -307,7 +307,7 @@ Reproducibility check (the `.github/workflows/reproducible-build.yml`): build tw
 
 ### 4.7 API repo changes
 
-Inside `pulkitpareek18/ZeroAuth`:
+Inside `zeroauth-dev/ZeroAuth`:
 
 1. **`src/services/zkp.ts` shrinks** to ~40 lines. New surface:
 
@@ -339,7 +339,7 @@ Inside `pulkitpareek18/ZeroAuth`:
 
 **Thursday Day 4 — scaffold + verifier service**
 
-1. Morning: `gh repo create pulkitpareek18/ZeroAuth-Verifier --public`. Clone locally. Add `CLAUDE.md` (copying conventions from API repo).
+1. Morning: `gh repo create zeroauth-dev/ZeroAuth-Verifier --public`. Clone locally. Add `CLAUDE.md` (copying conventions from API repo).
 2. `cargo init --bin verifier-service && cargo new --lib verifier-core` workspace setup.
 3. Implement `verifier-core` with arkworks Groth16. Write unit + property tests **first**.
 4. Implement `verifier-service` HTTP shell with axum. Single `/verify` route, no audit log yet.
@@ -368,12 +368,12 @@ Inside `pulkitpareek18/ZeroAuth`:
 | Append-only | `zeroauth-verifier: tests/audit_append_only.rs` | `UPDATE verifier_events …` → SQL trigger aborts; same for DELETE |
 | Hash chain | `zeroauth-verifier: tests/hash_chain.rs` | After N writes, `verify_chain.rs` reconstructs every `entry_hash` from `prev_hash || canonical(row)`. Mutating any column breaks the chain. |
 | Reproducible build | `.github/workflows/reproducible-build.yml` | Two clean builds produce identical OCI digest |
-| API repo regression | `pulkitpareek18/ZeroAuth: tests/zkp.test.ts` | After the split, every existing test stays green |
-| End-to-end | `pulkitpareek18/ZeroAuth: dashboard/e2e/happy-path.spec.ts` | Signup → first key → verification call → audit log entry — all still works |
+| API repo regression | `zeroauth-dev/ZeroAuth: tests/zkp.test.ts` | After the split, every existing test stays green |
+| End-to-end | `zeroauth-dev/ZeroAuth: dashboard/e2e/happy-path.spec.ts` | Signup → first key → verification call → audit log entry — all still works |
 
 ### 4.10 Threat model deltas
 
-After the split, update `pulkitpareek18/ZeroAuth-Governance: docs/threat-model/`:
+After the split, update `zeroauth-dev/ZeroAuth-Governance: docs/threat-model/`:
 
 - **`canonical.md`** — A-02 (replayed proof verification) — mitigation summary updates: "issued-nonce binding lives in the verifier service, not the API"
 - **`api.md`** — A-02 section pointer changes from "primary mitigation lives in API" to "delegated to verifier"
@@ -429,7 +429,7 @@ Explicitly NOT in this design:
 1. Plan A vs B vs C — pick one.
 2. (If A:) Rust toolchain ready on dev machine? `rustc --version` ≥ 1.85.
 3. (If A:) Confirmation that the existing `circuits/identity_proof.vkey.json` is BN254-compatible — I'll verify the JSON shape Thursday morning, but if you already know, save me the half-hour.
-4. (If A:) Permission to create `pulkitpareek18/ZeroAuth-Verifier` as a public repo.
+4. (If A:) Permission to create `zeroauth-dev/ZeroAuth-Verifier` as a public repo.
 5. Acknowledgement that this work spans Thu + Fri and may bleed into Monday Week 2. The other Day 4/5 items (closing PR #22's Mediums) get re-prioritized.
 
 If no answer by EOD Wednesday: default = **C (defer to Week 2 Day 1, do PR #22 Mediums Thursday/Friday)**.
diff --git a/docs/threat_model.md b/docs/threat_model.md
index 668477c..9c5471b 100644
--- a/docs/threat_model.md
+++ b/docs/threat_model.md
@@ -102,7 +102,7 @@
 |---|---|
 | **Class** | Information disclosure / EoP (STRIDE: I + E) |
 | **Surface** | Anything rendered inside the dashboard SPA at `/dashboard/*` |
-| **Description** | The console JWT is **persisted to `localStorage`** under the key `zeroauth.console_token` by `dashboard/src/lib/api.ts` so the session survives page reloads. If an XSS payload executes in the SPA, the attacker reads the token from `localStorage` and uses it for the remaining lifetime of the token (≤ 24h). This is a deliberate trade-off vs. in-memory storage (better UX, worse blast radius) — captured here so the threat model is honest about the choice. See [`pulkitpareek18/ZeroAuth-Governance: docs/threat-model/dashboard.md` §A-09](https://github.com/pulkitpareek18/ZeroAuth-Governance/blob/main/docs/threat-model/dashboard.md) for the authoritative component-level write-up. |
+| **Description** | The console JWT is **persisted to `localStorage`** under the key `zeroauth.console_token` by `dashboard/src/lib/api.ts` so the session survives page reloads. If an XSS payload executes in the SPA, the attacker reads the token from `localStorage` and uses it for the remaining lifetime of the token (≤ 24h). This is a deliberate trade-off vs. in-memory storage (better UX, worse blast radius) — captured here so the threat model is honest about the choice. See [`zeroauth-dev/ZeroAuth-Governance: docs/threat-model/dashboard.md` §A-09](https://github.com/zeroauth-dev/ZeroAuth-Governance/blob/main/docs/threat-model/dashboard.md) for the authoritative component-level write-up. |
 | **Mitigation** | (a) Strict CSP from Helmet — no `unsafe-eval`, no inline scripts beyond the existing landing-page allowance. (b) React's default escape protects against most reflected XSS. (c) **Never** introduce `dangerouslySetInnerHTML` without an ADR — enforced by reviewer rule. (d) The console JWT is short-lived (24h) and now carries `jti` + `aud='zeroauth-console'` (issue #26 F-5, commit landed Day 3 Week 1) — `jti` is the seam for a future Redis-backed allow-list that makes "logout everywhere" possible. (e) Console JWT is rejected on any `/v1` endpoint because `aud` is verified explicitly. |
 | **Test status** | CSP header presence is asserted in `tests/health.test.ts` (indirectly via helmet output). **Missing:** an integration test that asserts no inline `<script>` blocks land in the dashboard build output, an integration test for `dangerouslySetInnerHTML` absence, and a test that confirms `jti` revocation 401s subsequent requests (pending the Redis allow-list). |
 | **Audit signal** | None today. Open: log an `auth.token_reuse` event when the same `jti` is replayed from a new IP within a short window. |
diff --git a/public/index.html b/public/index.html
index a6320b0..a7c466d 100644
--- a/public/index.html
+++ b/public/index.html
@@ -953,7 +953,7 @@
           <a href="/docs/reference/api-reference">API</a>
           <a href="#whitepaper">White Paper</a>
           <a href="#pilot">Enterprise</a>
-          <a href="https://github.com/pulkitpareek18/ZeroAuth" target="_blank" rel="noopener" aria-label="GitHub">GitHub</a>
+          <a href="https://github.com/zeroauth-dev/ZeroAuth" target="_blank" rel="noopener" aria-label="GitHub">GitHub</a>
         </div>
         <div class="nav-cta">
           <a href="/dashboard/login" class="btn-nav-ghost">Sign in</a>
@@ -1144,7 +1144,7 @@ <h3>Verify in &lt;100&thinsp;ms</h3>
             <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M12 2 4 6v6c0 5 3.5 8.5 8 10 4.5-1.5 8-5 8-10V6z"/></svg>
           </div>
           <h3>Open source</h3>
-          <p>API, dashboard, circuits, and docs are all <a href="https://github.com/pulkitpareek18/ZeroAuth" target="_blank" rel="noopener" style="color:var(--blue);text-decoration:none;">on GitHub</a>. Audit it. Self-host it. Fork it.</p>
+          <p>API, dashboard, circuits, and docs are all <a href="https://github.com/zeroauth-dev/ZeroAuth" target="_blank" rel="noopener" style="color:var(--blue);text-decoration:none;">on GitHub</a>. Audit it. Self-host it. Fork it.</p>
         </div>
       </div>
     </div>
@@ -1504,7 +1504,7 @@ <h4>Developers</h4>
             <li><a href="/dashboard/login">Sign in</a></li>
             <li><a href="/docs/getting-started/quickstart/">Quickstart</a></li>
             <li><a href="/docs/reference/api-reference">API reference</a></li>
-            <li><a href="https://github.com/pulkitpareek18/ZeroAuth" target="_blank" rel="noopener">GitHub</a></li>
+            <li><a href="https://github.com/zeroauth-dev/ZeroAuth" target="_blank" rel="noopener">GitHub</a></li>
           </ul>
         </div>
 
@@ -1514,8 +1514,8 @@ <h4>Resources</h4>
             <li><a href="/docs">Documentation</a></li>
             <li><a href="#whitepaper">White paper</a></li>
             <li><a href="#patents">Patents</a></li>
-            <li><a href="https://github.com/pulkitpareek18/ZeroAuth/blob/main/SECURITY.md" target="_blank" rel="noopener">Security</a></li>
-            <li><a href="https://github.com/pulkitpareek18/ZeroAuth/issues" target="_blank" rel="noopener">Report an issue</a></li>
+            <li><a href="https://github.com/zeroauth-dev/ZeroAuth/blob/main/SECURITY.md" target="_blank" rel="noopener">Security</a></li>
+            <li><a href="https://github.com/zeroauth-dev/ZeroAuth/issues" target="_blank" rel="noopener">Report an issue</a></li>
           </ul>
         </div>
 
@@ -1523,9 +1523,9 @@ <h4>Resources</h4>
           <h4>Company</h4>
           <ul>
             <li><a href="#pilot">Contact sales</a></li>
-            <li><a href="https://github.com/pulkitpareek18/ZeroAuth/blob/main/LICENSE" target="_blank" rel="noopener">License</a></li>
-            <li><a href="https://github.com/pulkitpareek18/ZeroAuth/blob/main/CODE_OF_CONDUCT.md" target="_blank" rel="noopener">Code of conduct</a></li>
-            <li><a href="https://github.com/pulkitpareek18/ZeroAuth/blob/main/CONTRIBUTING.md" target="_blank" rel="noopener">Contributing</a></li>
+            <li><a href="https://github.com/zeroauth-dev/ZeroAuth/blob/main/LICENSE" target="_blank" rel="noopener">License</a></li>
+            <li><a href="https://github.com/zeroauth-dev/ZeroAuth/blob/main/CODE_OF_CONDUCT.md" target="_blank" rel="noopener">Code of conduct</a></li>
+            <li><a href="https://github.com/zeroauth-dev/ZeroAuth/blob/main/CONTRIBUTING.md" target="_blank" rel="noopener">Contributing</a></li>
           </ul>
         </div>
       </div>
@@ -1533,7 +1533,7 @@ <h4>Company</h4>
       <div class="footer-bottom">
         <div class="footer-copy">&copy; 2026 Yushu Excellence Technologies Pvt. Ltd. &middot; ZeroAuth is the open-source auth API for Pramaan&trade;, the granted zero-knowledge biometric protocol (Indian Patent IN202311041001).</div>
         <div class="footer-social">
-          <a href="https://github.com/pulkitpareek18/ZeroAuth" target="_blank" rel="noopener" aria-label="GitHub">
+          <a href="https://github.com/zeroauth-dev/ZeroAuth" target="_blank" rel="noopener" aria-label="GitHub">
             <svg viewBox="0 0 24 24" fill="currentColor" xmlns="http://www.w3.org/2000/svg"><path d="M12 .5C5.65.5.5 5.65.5 12c0 5.08 3.29 9.39 7.86 10.91.58.11.79-.25.79-.56v-2c-3.2.7-3.87-1.37-3.87-1.37-.52-1.33-1.28-1.69-1.28-1.69-1.05-.72.08-.7.08-.7 1.16.08 1.77 1.19 1.77 1.19 1.03 1.76 2.7 1.25 3.36.95.1-.75.4-1.25.73-1.54-2.55-.29-5.24-1.28-5.24-5.69 0-1.26.45-2.29 1.18-3.1-.12-.29-.51-1.46.11-3.04 0 0 .97-.31 3.18 1.18.92-.26 1.91-.39 2.89-.39s1.97.13 2.89.39c2.21-1.49 3.18-1.18 3.18-1.18.62 1.58.23 2.75.11 3.04.74.81 1.18 1.84 1.18 3.1 0 4.42-2.69 5.39-5.25 5.68.41.36.78 1.06.78 2.14v3.17c0 .31.21.68.8.56 4.57-1.52 7.85-5.83 7.85-10.91C23.5 5.65 18.35.5 12 .5z"/></svg>
           </a>
           <a href="/docs" aria-label="Documentation">
diff --git a/qa-log/2026-05-13.md b/qa-log/2026-05-13.md
index b0b826e..085d8f9 100644
--- a/qa-log/2026-05-13.md
+++ b/qa-log/2026-05-13.md
@@ -4,8 +4,8 @@
 **Time:** 11:30 IST (the canonical slot is 09:55 Tue/Thu; this is the seed entry for Wed because the cadence had not been wired yet)
 **Build:**
 
-- API (`pulkitpareek18/ZeroAuth`): `2df9faa` on `dev` (production is `0d1741d` on `main`)
-- Governance (`pulkitpareek18/ZeroAuth-Governance`): `bad10e7` on `main`
+- API (`zeroauth-dev/ZeroAuth`): `2df9faa` on `dev` (production is `0d1741d` on `main`)
+- Governance (`zeroauth-dev/ZeroAuth-Governance`): `bad10e7` on `main`
 - IoT firmware: **not built** (B03 — Week 3)
 - Mobile SDK: **not built** (B04 — Week 5)
 - Liveness detection: **not built** (B13 — Week 3 / Week 5)
@@ -85,14 +85,14 @@ The HOLD is unambiguous and expected: it stays HOLD until the IoT firmware and m
 
 ## Escalations
 
-None today — every Blocked demo is blocked on planned work (B03/B04/B10/B13/B14), not on a regression. The blocking work items are tracked in `pulkitpareek18/ZeroAuth-Governance: adr-index/ALL.md` open list (ADR-0008 onwards) and in the dev brainstorm's 8-week build order.
+None today — every Blocked demo is blocked on planned work (B03/B04/B10/B13/B14), not on a regression. The blocking work items are tracked in `zeroauth-dev/ZeroAuth-Governance: adr-index/ALL.md` open list (ADR-0008 onwards) and in the dev brainstorm's 8-week build order.
 
 ## Operator notes (out-of-band observations, not part of the formal rollup)
 
 - The fact that `/api/health` returned 200 is a real signal. The VPS-level smoke proves the live deployment is healthy on Day 3.
 - This is the first entry in the QA log. The format is provisional — adjust after the next 2–3 entries once the cadence has shaken out. Friday's W05 review should explicitly call out whether the surrogate-smoke section is useful or noise.
 - DW01 specifies 09:55 IST as the canonical slot. Today's entry is at 11:30 IST because the cadence wasn't wired yet. Starting Thursday (2026-05-14), aim for 09:55.
-- The brainstorm puts `/qa-log/` inside `zeroauth-iot/`. That repo doesn't exist yet, so the log lives in `pulkitpareek18/ZeroAuth: qa-log/` for now. When B03 ships and `zeroauth-iot` materializes, decide whether to migrate the directory or keep it in the API repo and link from IoT.
+- The brainstorm puts `/qa-log/` inside `zeroauth-iot/`. That repo doesn't exist yet, so the log lives in `zeroauth-dev/ZeroAuth: qa-log/` for now. When B03 ships and `zeroauth-iot` materializes, decide whether to migrate the directory or keep it in the API repo and link from IoT.
 
 ---
 
diff --git a/qa-log/2026-05-14.md b/qa-log/2026-05-14.md
index f54d4b1..7350f00 100644
--- a/qa-log/2026-05-14.md
+++ b/qa-log/2026-05-14.md
@@ -4,8 +4,8 @@
 **Time:** 09:55 IST (DW01 canonical slot — second run, first scheduled-on-cadence entry)
 **Build:**
 
-- API (`pulkitpareek18/ZeroAuth`): `ad2a04a` on `main` (== `dev` after yesterday's PR #28 squash-merge + sync)
-- Governance (`pulkitpareek18/ZeroAuth-Governance`): `bad10e7` on `main`
+- API (`zeroauth-dev/ZeroAuth`): `ad2a04a` on `main` (== `dev` after yesterday's PR #28 squash-merge + sync)
+- Governance (`zeroauth-dev/ZeroAuth-Governance`): `bad10e7` on `main`
 - IoT firmware: **not built** (B03 — Week 3)
 - Mobile SDK: **not built** (B04 — Week 5)
 - Liveness detection: **not built** (B13 — Week 3 / Week 5)
diff --git a/qa-log/2026-05-15.md b/qa-log/2026-05-15.md
index 7eca19e..9acd901 100644
--- a/qa-log/2026-05-15.md
+++ b/qa-log/2026-05-15.md
@@ -4,8 +4,8 @@
 **Time:** 12:30 IST (DW01 canonical slot is 09:55; today's entry is late because email-infra deployment ran through the morning — the runbook fix landed first, this entry second)
 **Build:**
 
-- API (`pulkitpareek18/ZeroAuth`): `02a79d0` on `main`
-- Governance (`pulkitpareek18/ZeroAuth-Governance`): `bad10e7` on `main`
+- API (`zeroauth-dev/ZeroAuth`): `02a79d0` on `main`
+- Governance (`zeroauth-dev/ZeroAuth-Governance`): `bad10e7` on `main`
 - IoT firmware: **not built** (B03 — Week 3)
 - Mobile SDK: **not built** (B04 — Week 5)
 - Liveness detection: **not built** (B13 — Week 3 / Week 5)
diff --git a/qa-log/W01-engineering-annex.md b/qa-log/W01-engineering-annex.md
index f683b2a..c74369f 100644
--- a/qa-log/W01-engineering-annex.md
+++ b/qa-log/W01-engineering-annex.md
@@ -22,26 +22,26 @@ PRs merged to main, in order:
 
 | # | PR | Headline | Impact |
 |---|---|---|---|
-| 1 | [#22](https://github.com/pulkitpareek18/ZeroAuth/pull/22) | Central API developer console: 10 pages, 82 tests, CI gated | Dashboard live at `/dashboard/*`. Brainstorm had this in Week 6. |
-| 2 | [#24](https://github.com/pulkitpareek18/ZeroAuth/pull/24) | Dashboard `@types/node` Docker hotfix | Unblocked the build after PR #22's squash-merge surfaced a type-resolution gap. |
-| 3 | [#25](https://github.com/pulkitpareek18/ZeroAuth/pull/25) | Marketing site: product-led landing with dashboard CTAs + Quickstart | Replaced single-pilot-form layout with Sign in / Get started cluster + tabbed Quickstart. |
-| 4 | [#28](https://github.com/pulkitpareek18/ZeroAuth/pull/28) | Day 3 bundle: governance repo + qa-log + PR #22 security fixes + B02 plan | One PR for the Day 3 discipline-gap clearance. |
-| 5 | [#29](https://github.com/pulkitpareek18/ZeroAuth/pull/29) | B02 Plan B: split Groth16 verifier into `@zeroauth/verifier` workspace | Architectural seam landed. Inline fallback retained as safety net. |
-| 6 | [#30](https://github.com/pulkitpareek18/ZeroAuth/pull/30) | Test sweep — 73 → 217 tests across services, middleware, verifier package | 144 new tests in one PR. |
-| 7 | [#31](https://github.com/pulkitpareek18/ZeroAuth/pull/31) | Landing page: Pramaan IP vs ZeroAuth product split + new whitepaper | Brand pivot. Yushu Excellence Technologies + Pramaan™ patent (IN202311041001) now anchored on the site. |
-| 8 | [#32](https://github.com/pulkitpareek18/ZeroAuth/pull/32) | Landing page broken-link fixes | `status.zeroauth.dev` + `api.zeroauth.dev` cleaned up. |
-| 9 | [#33](https://github.com/pulkitpareek18/ZeroAuth/pull/33) | Email infra (Brevo SMTP via nodemailer) + F-2 partial mitigation | Welcome + signup-attempted-notice emails operating. Brevo IP allowlisting required + done. |
-| 10 | [#34](https://github.com/pulkitpareek18/ZeroAuth/pull/34) | `docs/operations/env-vars.md` runbook | Captures the `restart` vs `up -d --force-recreate` env-file gotcha + the future `PROD_ENV_FILE` GitHub secret path. |
-| 11 | [#35](https://github.com/pulkitpareek18/ZeroAuth/pull/35) | B02 Phase 2: verifier as its own container in prod | Production cutover from inline to HTTP verifier. |
-| 12 | [#36](https://github.com/pulkitpareek18/ZeroAuth/pull/36) | B02 Phase 2 hotfix: `127.0.0.1` not `localhost` in verifier healthcheck | 3-minute prod 502 caught + recovered via SSH `--no-deps` start; permanent fix via PR. Documented in the Dockerfile comment so the next operator doesn't revert. |
-| 13 | [#37](https://github.com/pulkitpareek18/ZeroAuth/pull/37) | B02 SQLite append-only audit log + hash chain in verifier | Defense in depth — verifier-local audit log independent from Postgres. |
-| 14 | [#38](https://github.com/pulkitpareek18/ZeroAuth/pull/38) | ADR-0006: verifier in TS workspace, not Rust separate repo | Formal record of Plan B decision + inline-fallback retirement timeline (2026-06-08). |
+| 1 | [#22](https://github.com/zeroauth-dev/ZeroAuth/pull/22) | Central API developer console: 10 pages, 82 tests, CI gated | Dashboard live at `/dashboard/*`. Brainstorm had this in Week 6. |
+| 2 | [#24](https://github.com/zeroauth-dev/ZeroAuth/pull/24) | Dashboard `@types/node` Docker hotfix | Unblocked the build after PR #22's squash-merge surfaced a type-resolution gap. |
+| 3 | [#25](https://github.com/zeroauth-dev/ZeroAuth/pull/25) | Marketing site: product-led landing with dashboard CTAs + Quickstart | Replaced single-pilot-form layout with Sign in / Get started cluster + tabbed Quickstart. |
+| 4 | [#28](https://github.com/zeroauth-dev/ZeroAuth/pull/28) | Day 3 bundle: governance repo + qa-log + PR #22 security fixes + B02 plan | One PR for the Day 3 discipline-gap clearance. |
+| 5 | [#29](https://github.com/zeroauth-dev/ZeroAuth/pull/29) | B02 Plan B: split Groth16 verifier into `@zeroauth/verifier` workspace | Architectural seam landed. Inline fallback retained as safety net. |
+| 6 | [#30](https://github.com/zeroauth-dev/ZeroAuth/pull/30) | Test sweep — 73 → 217 tests across services, middleware, verifier package | 144 new tests in one PR. |
+| 7 | [#31](https://github.com/zeroauth-dev/ZeroAuth/pull/31) | Landing page: Pramaan IP vs ZeroAuth product split + new whitepaper | Brand pivot. Yushu Excellence Technologies + Pramaan™ patent (IN202311041001) now anchored on the site. |
+| 8 | [#32](https://github.com/zeroauth-dev/ZeroAuth/pull/32) | Landing page broken-link fixes | `status.zeroauth.dev` + `api.zeroauth.dev` cleaned up. |
+| 9 | [#33](https://github.com/zeroauth-dev/ZeroAuth/pull/33) | Email infra (Brevo SMTP via nodemailer) + F-2 partial mitigation | Welcome + signup-attempted-notice emails operating. Brevo IP allowlisting required + done. |
+| 10 | [#34](https://github.com/zeroauth-dev/ZeroAuth/pull/34) | `docs/operations/env-vars.md` runbook | Captures the `restart` vs `up -d --force-recreate` env-file gotcha + the future `PROD_ENV_FILE` GitHub secret path. |
+| 11 | [#35](https://github.com/zeroauth-dev/ZeroAuth/pull/35) | B02 Phase 2: verifier as its own container in prod | Production cutover from inline to HTTP verifier. |
+| 12 | [#36](https://github.com/zeroauth-dev/ZeroAuth/pull/36) | B02 Phase 2 hotfix: `127.0.0.1` not `localhost` in verifier healthcheck | 3-minute prod 502 caught + recovered via SSH `--no-deps` start; permanent fix via PR. Documented in the Dockerfile comment so the next operator doesn't revert. |
+| 13 | [#37](https://github.com/zeroauth-dev/ZeroAuth/pull/37) | B02 SQLite append-only audit log + hash chain in verifier | Defense in depth — verifier-local audit log independent from Postgres. |
+| 14 | [#38](https://github.com/zeroauth-dev/ZeroAuth/pull/38) | ADR-0006: verifier in TS workspace, not Rust separate repo | Formal record of Plan B decision + inline-fallback retirement timeline (2026-06-08). |
 
 ### Cross-repo PRs (governance)
 
 | Repo | Change | Why |
 |---|---|---|
-| `pulkitpareek18/ZeroAuth-Governance` | Initial scaffold (30 files) + counsel-not-engaged honesty patch + verifier component threat-model promoted from stub to v1 with A-V01..A-V05 entries | Day 3 created the repo (collapsed → split per ADR-0004). Day 5 promoted the verifier threat model after PR #37 went live. |
+| `zeroauth-dev/ZeroAuth-Governance` | Initial scaffold (30 files) + counsel-not-engaged honesty patch + verifier component threat-model promoted from stub to v1 with A-V01..A-V05 entries | Day 3 created the repo (collapsed → split per ADR-0004). Day 5 promoted the verifier threat model after PR #37 went live. |
 
 ### Total numbers
 
@@ -74,7 +74,7 @@ PRs merged to main, in order:
 
 | Source | Item | Severity | Owner | Next step |
 |---|---|---|---|---|
-| Issue [#27](https://github.com/pulkitpareek18/ZeroAuth/issues/27) | F-2 byte-identical email-enumeration fix (v2 — 202 always + verification flow) | Medium (down from Critical thanks to Day 4 timing-equalization + notice email) | Pulkit | Week 2 build item. Breaks dashboard signup flow + Playwright happy path; ~4–6h. |
+| Issue [#27](https://github.com/zeroauth-dev/ZeroAuth/issues/27) | F-2 byte-identical email-enumeration fix (v2 — 202 always + verification flow) | Medium (down from Critical thanks to Day 4 timing-equalization + notice email) | Pulkit | Week 2 build item. Breaks dashboard signup flow + Playwright happy path; ~4–6h. |
 | ADR-0005 (open) | Engage external DPO + IP counsel | High (gates SOW) | Amit | Pick firm at W05 review. Recommended: Ikigai Law (specialist boutique) or Khaitan & Co (full-service). |
 | ADR-0006 | Inline-fallback retirement in `src/services/zkp.ts` | Low | Pulkit | Hard date: 2026-06-08 (end of Week 4). 3-week soak window starts today. |
 | Verifier threat model | Periodic `/audit/verify-chain` cron + alert | Medium | Pulkit | Week 2 ops task. Daily run + page on `ok:false`. |
@@ -128,7 +128,7 @@ Default plan for Mon 2026-05-18 → Fri 2026-05-22, subject to revision in the W
 
 | Day | Item | Why |
 |---|---|---|
-| Mon | **B03 — IoT terminal firmware skeleton** (`pulkitpareek18/ZeroAuth-IoT` new repo). Per dev brainstorm Week 3 schedule, but bringing forward to Week 2 Mon. | The four demos unblock when B03 + B13 ship. Earlier ⇒ pilot demos sooner. |
+| Mon | **B03 — IoT terminal firmware skeleton** (`zeroauth-dev/ZeroAuth-IoT` new repo). Per dev brainstorm Week 3 schedule, but bringing forward to Week 2 Mon. | The four demos unblock when B03 + B13 ship. Earlier ⇒ pilot demos sooner. |
 | Tue | **Counsel outreach (Amit) + Issue #27 v2** (Pulkit, in parallel). | ADR-0005 closure starts the engagement window. F-2 v2 needs the email infra that's now live. |
 | Wed | **B13 — Liveness detection skeleton** + mock-hardware demos pass | Demo 1 of the four-demo battery starts to lift. |
 | Thu | **Periodic chain-verify cron + off-host SQLite backup** + DPDP mapping counsel review (if Amit has firm picked) | Closes two open items the verifier threat model flagged. |
diff --git a/qa-log/security-review-pr22.md b/qa-log/security-review-pr22.md
index b58706e..81e67cf 100644
--- a/qa-log/security-review-pr22.md
+++ b/qa-log/security-review-pr22.md
@@ -4,7 +4,7 @@
 **Date:** 2026-05-13
 **Diff range:** `git diff 69fd27e..0c325fb` (8,652 lines across 46 files)
 **Production state at review time:** `main` @ `0d1741d` (live on `https://zeroauth.dev`); `dev` @ `876fac3`
-**Reason for retroactive review:** PR #22 touched all four security-reviewer trigger surfaces (auth, crypto, audit, tenant boundaries) and merged without the subagent running. CLAUDE.md mandates the subagent on any change to these surfaces — discipline-debt clearance, not a pre-merge gate. Tracking issue: [#26](https://github.com/pulkitpareek18/ZeroAuth/issues/26).
+**Reason for retroactive review:** PR #22 touched all four security-reviewer trigger surfaces (auth, crypto, audit, tenant boundaries) and merged without the subagent running. CLAUDE.md mandates the subagent on any change to these surfaces — discipline-debt clearance, not a pre-merge gate. Tracking issue: [#26](https://github.com/zeroauth-dev/ZeroAuth/issues/26).
 
 ---
 
diff --git a/src/services/email-templates.ts b/src/services/email-templates.ts
index d27562b..e58df58 100644
--- a/src/services/email-templates.ts
+++ b/src/services/email-templates.ts
@@ -24,7 +24,7 @@ const FOOTER_HTML = `
     Yushu Excellence Technologies Pvt. Ltd. &middot; Indian Patent
     IN202311041001.<br/>
     Questions? Reply to this email or open an issue at
-    <a href="https://github.com/pulkitpareek18/ZeroAuth/issues" style="color:#4285F4;">github.com/pulkitpareek18/ZeroAuth/issues</a>.
+    <a href="https://github.com/zeroauth-dev/ZeroAuth/issues" style="color:#4285F4;">github.com/zeroauth-dev/ZeroAuth/issues</a>.
   </p>
 `;
 
@@ -34,7 +34,7 @@ Sent by ZeroAuth, the developer-facing API for Pramaan(TM) — the patented
 zero-knowledge biometric identity protocol. Yushu Excellence Technologies
 Pvt. Ltd. — Indian Patent IN202311041001.
 Questions? Reply to this email or open an issue at
-https://github.com/pulkitpareek18/ZeroAuth/issues
+https://github.com/zeroauth-dev/ZeroAuth/issues
 `;
 
 /**
diff --git a/verifier/README.md b/verifier/README.md
index f16b9eb..c742f55 100644
--- a/verifier/README.md
+++ b/verifier/README.md
@@ -86,7 +86,7 @@ If you ever consider exposing the verifier on a public interface, you MUST first
 
 1. Add caller authentication (mTLS or shared secret in a header)
 2. Add per-caller rate limiting
-3. Update the threat model component-extension at `pulkitpareek18/ZeroAuth-Governance: docs/threat-model/verifier.md`
+3. Update the threat model component-extension at `zeroauth-dev/ZeroAuth-Governance: docs/threat-model/verifier.md`
 4. Open an ADR
 
 The default loopback bind is the v0 trust model; do not change it without going through the above.
@@ -96,4 +96,4 @@ The default loopback bind is the v0 trust model; do not change it without going
 - API repo's [`src/services/zkp.ts`](../src/services/zkp.ts) — calls this service via `VERIFIER_URL`
 - [ADR-0008] (forthcoming) — captures the TS-vs-Rust decision
 - [`docs/design/verifier-service-split.md`](../docs/design/verifier-service-split.md) — the plan-mode design doc
-- [Governance: `docs/threat-model/verifier.md`](https://github.com/pulkitpareek18/ZeroAuth-Governance/blob/main/docs/threat-model/verifier.md) — component-level threat model
+- [Governance: `docs/threat-model/verifier.md`](https://github.com/zeroauth-dev/ZeroAuth-Governance/blob/main/docs/threat-model/verifier.md) — component-level threat model
diff --git a/website/docusaurus.config.ts b/website/docusaurus.config.ts
index 16c4896..b9f4f09 100644
--- a/website/docusaurus.config.ts
+++ b/website/docusaurus.config.ts
@@ -75,7 +75,7 @@ const config: Config = {
           position: 'right',
         },
         {
-          href: 'https://github.com/pulkitpareek18/ZeroAuth',
+          href: 'https://github.com/zeroauth-dev/ZeroAuth',
           label: 'GitHub',
           position: 'right',
         },
@@ -148,7 +148,7 @@ const config: Config = {
             },
             {
               label: 'GitHub',
-              href: 'https://github.com/pulkitpareek18/ZeroAuth',
+              href: 'https://github.com/zeroauth-dev/ZeroAuth',
             },
           ],
         },