diff --git a/.planning/ROADMAP.md b/.planning/ROADMAP.md
index dc0a663..c3931a3 100644
--- a/.planning/ROADMAP.md
+++ b/.planning/ROADMAP.md
@@ -16,7 +16,7 @@ Decimal phases appear between their surrounding integers in numeric order.
 - [x] **Phase 2: Core Archiver** - Rust CLI that compresses, encrypts, and packs files into the custom format (completed 2026-02-24)
 - [x] **Phase 3: Round-Trip Verification** - Rust unpack command + golden test vectors + unit tests proving byte-identical round-trips (completed 2026-02-24)
 - [x] **Phase 4: Kotlin Decoder** - Android 13 decoder using javax.crypto and java.util.zip (primary extraction path) (completed 2026-02-25)
-- [ ] **Phase 5: Shell Decoder** - Busybox shell script decoder using dd/xxd/openssl/gunzip (fallback extraction)
+- [x] **Phase 5: Shell Decoder** - Busybox shell script decoder using dd/xxd/openssl/gunzip (fallback extraction) (completed 2026-02-25)
 - [ ] **Phase 6: Obfuscation Hardening** - XOR-obfuscated headers, encrypted file table, decoy padding to defeat casual analysis
 
 ## Phase Details
@@ -91,8 +91,8 @@ Plans:
 **Plans**: 2 plans
 
 Plans:
-- [ ] 05-01-PLAN.md -- Shell decode.sh: busybox-compatible decoder with full pipeline (dd/xxd/openssl/gunzip)
-- [ ] 05-02-PLAN.md -- Cross-validation test script and end-to-end verification (6 test cases)
+- [x] 05-01-PLAN.md -- Shell decode.sh: busybox-compatible decoder with full pipeline (dd/xxd/openssl/gunzip)
+- [x] 05-02-PLAN.md -- Cross-validation test script and end-to-end verification (6 test cases)
 
 ### Phase 6: Obfuscation Hardening
 **Goal**: Archive format resists casual analysis -- binwalk, file, strings, and hex editors reveal nothing useful
@@ -119,5 +119,5 @@ Phases execute in numeric order: 1 -> 2 -> 3 -> 4 -> 5 -> 6
 | 2. Core Archiver | 2/2 | Complete    | 2026-02-24 |
 | 3. Round-Trip Verification | 2/2 | Complete    | 2026-02-24 |
 | 4. Kotlin Decoder | 1/1 | Complete    | 2026-02-24 |
-| 5. Shell Decoder | 0/2 | Not started | - |
+| 5. Shell Decoder | 2/2 | Complete    | 2026-02-25 |
 | 6. Obfuscation Hardening | 0/1 | Not started | - |
diff --git a/.planning/STATE.md b/.planning/STATE.md
index eb91f55..6174e29 100644
--- a/.planning/STATE.md
+++ b/.planning/STATE.md
@@ -5,22 +5,22 @@
 See: .planning/PROJECT.md (updated 2026-02-24)
 
 **Core value:** Archive impossible to unpack without knowing the format -- standard tools (7z, tar, unzip, binwalk) cannot recognize or extract contents
-**Current focus:** Phase 5 in progress (Shell Decoder)
+**Current focus:** Phase 5 complete (Shell Decoder). Ready for Phase 6.
 
 ## Current Position
 
-Phase: 5 of 6 (Shell Decoder)
-Plan: 1 of 2 in current phase
-Status: Plan 1 complete, Plan 2 (cross-validation tests) remaining
-Last activity: 2026-02-25 -- Busybox-compatible shell decoder script (shell/decode.sh)
+Phase: 5 of 6 (Shell Decoder) -- COMPLETE
+Plan: 2 of 2 in current phase (all done)
+Status: Phase 5 complete -- both decoder and cross-validation tests done
+Last activity: 2026-02-25 -- Cross-validation tests for shell decoder (shell/test_decoder.sh)
 
-Progress: [███████░░░] 70%
+Progress: [████████░░] 80%
 
 ## Performance Metrics
 
 **Velocity:**
-- Total plans completed: 7
-- Average duration: 4.1 min
+- Total plans completed: 8
+- Average duration: 3.9 min
 - Total execution time: 0.5 hours
 
 **By Phase:**
@@ -31,10 +31,10 @@ Progress: [███████░░░] 70%
 | 2. Core Archiver | 2/2 | 6 min | 3 min |
 | 3. Round-Trip Verification | 2/2 | 8 min | 4 min |
 | 4. Kotlin Decoder | 1/1 | 4 min | 4 min |
-| 5. Shell Decoder | 1/2 | 3 min | 3 min |
+| 5. Shell Decoder | 2/2 | 5 min | 2.5 min |
 
 **Recent Trend:**
-- Last 5 plans: 2min, 3min, 5min, 4min, 3min
+- Last 5 plans: 3min, 5min, 4min, 3min, 2min
 - Trend: stable
 
 *Updated after each plan completion*
@@ -72,6 +72,8 @@ Recent decisions affecting current work:
 - Phase 5: Graceful HMAC degradation when openssl lacks -mac support
 - Phase 5: Extract ciphertext to temp file before decryption (avoids pipe buffering issues)
 - Phase 5: LC_ALL=C for predictable byte handling across locales
+- Phase 5: All 6 cross-validation tests passed on first run -- decode.sh was correct as written
+- Phase 5: Used sh (not bash) to invoke decode.sh in tests for POSIX compatibility validation
 
 ### Pending Todos
 
@@ -86,5 +88,5 @@ None yet.
 ## Session Continuity
 
 Last session: 2026-02-25
-Stopped at: Completed 05-01-PLAN.md (Shell decoder script; Phase 5 Plan 1 of 2)
+Stopped at: Completed 05-02-PLAN.md (Shell decoder cross-validation tests; Phase 5 complete)
 Resume file: None
diff --git a/.planning/phases/05-shell-decoder/05-02-SUMMARY.md b/.planning/phases/05-shell-decoder/05-02-SUMMARY.md
new file mode 100644
index 0000000..d4d13ab
--- /dev/null
+++ b/.planning/phases/05-shell-decoder/05-02-SUMMARY.md
@@ -0,0 +1,105 @@
+---
+phase: 05-shell-decoder
+plan: 02
+subsystem: shell-decoder
+tags: [posix-sh, cross-validation, sha256, test-script, busybox, cyrillic]
+
+# Dependency graph
+requires:
+  - phase: 05-shell-decoder
+    plan: 01
+    provides: "shell/decode.sh -- busybox-compatible POSIX shell decoder"
+  - phase: 02-core-archiver
+    provides: "Rust archiver CLI for creating test archives"
+provides:
+  - "shell/test_decoder.sh -- cross-validation test script (6 tests, Rust pack -> Shell decode -> SHA-256 verify)"
+  - "Validated shell decoder correctness across all edge cases: text, binary, no-compress, empty, large, Cyrillic filenames"
+affects: [06-obfuscation]
+
+# Tech tracking
+tech-stack:
+  added: [bash-test-framework]
+  patterns: [cross-validation-testing, rust-pack-shell-decode-sha256-verify]
+
+key-files:
+  created:
+    - shell/test_decoder.sh
+
+key-decisions:
+  - "All 6 tests passed on first run -- no decode.sh fixes needed"
+  - "Used sh (not bash) to invoke decode.sh in tests for POSIX compatibility validation"
+  - "Followed kotlin/test_decoder.sh pattern for consistency across decoder test suites"
+
+patterns-established:
+  - "Cross-validation test pattern: Rust pack -> decoder unpack -> SHA-256 comparison (reusable for any decoder)"
+  - "Test script structure: prerequisites -> build -> test cases -> summary with pass/fail counts"
+
+requirements-completed: [SHL-01, SHL-02, SHL-03]
+
+# Metrics
+duration: 2min
+completed: 2026-02-25
+---
+
+# Phase 5 Plan 2: Shell Decoder Cross-Validation Tests Summary
+
+**Cross-validation test script with 6 test cases (single file, multiple files, no-compress, empty, large 100KB, Cyrillic filename) all passing on first run via Rust pack -> sh decode.sh -> SHA-256 verify**
+
+## Performance
+
+- **Duration:** 2 min
+- **Started:** 2026-02-24T22:42:47Z
+- **Completed:** 2026-02-24T22:44:38Z
+- **Tasks:** 2
+- **Files created:** 1
+
+## Accomplishments
+- Created comprehensive cross-validation test script (275 lines) following kotlin/test_decoder.sh pattern
+- All 6 test cases passed on first run with zero decode.sh fixes needed
+- Validated SHL-01 (single text file), SHL-02 (no-compress mode), and SHL-03 (Cyrillic UTF-8 filename)
+- Verified shell decoder produces byte-identical output to originals via SHA-256 comparison
+- Confirmed existing Rust test suite (6 tests) still passes -- no regressions
+
+## Task Commits
+
+Each task was committed atomically:
+
+1. **Task 1: Create shell/test_decoder.sh cross-validation test script** - `e9d7442` (test)
+2. **Task 2: Run cross-validation tests and fix any decode.sh issues** - no commit (all tests passed, no fixes needed)
+
+## Files Created/Modified
+- `shell/test_decoder.sh` - Cross-validation test script: 6 test cases covering all edge cases for shell decoder
+
+## Decisions Made
+- All 6 tests passed on first run -- decode.sh implementation from Plan 1 was correct
+- Used `sh "$DECODER"` (not `bash`) to invoke decode.sh, ensuring POSIX sh compatibility is tested
+- Followed kotlin/test_decoder.sh pattern exactly for consistency across decoder test suites
+- 7 total assertions across 6 tests (Test 2 verifies both text.txt and binary.bin)
+
+## Deviations from Plan
+
+None - plan executed exactly as written.
+
+## Issues Encountered
+None.
+
+## User Setup Required
+None - no external service configuration required.
+
+## Next Phase Readiness
+- Shell decoder fully validated with cross-validation tests
+- Phase 5 (Shell Decoder) is complete: both decode script and test suite done
+- Phase 6 (Obfuscation) can extend decode.sh with XOR header deobfuscation and encrypted TOC parsing
+- Test script can serve as regression test when obfuscation layer is added
+
+---
+
+## Self-Check: PASSED
+
+- FOUND: shell/test_decoder.sh
+- FOUND: commit e9d7442
+- FOUND: 05-02-SUMMARY.md
+
+---
+*Phase: 05-shell-decoder*
+*Completed: 2026-02-25*