From 25c536c669fc156652bd006ad82f58a2eb255b0d Mon Sep 17 00:00:00 2001
From: NplusM420 <77477623+NplusM420@users.noreply.github.com>
Date: Thu, 23 Apr 2026 22:00:13 -0500
Subject: [PATCH] chore: harden blocker packet validator scope

---
 .../delegation-readiness-doctor/README.md     |  2 +-
 .../latest-validator-scope-hardening.md       | 41 +++++++++++++++++++
 .../scripts/validate-artifact-consistency.sh  |  1 +
 3 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 starter-kits/delegation-readiness-doctor/artifacts/latest-validator-scope-hardening.md

diff --git a/starter-kits/delegation-readiness-doctor/README.md b/starter-kits/delegation-readiness-doctor/README.md
index 34c9ea2d38..6a8e796440 100644
--- a/starter-kits/delegation-readiness-doctor/README.md
+++ b/starter-kits/delegation-readiness-doctor/README.md
@@ -35,7 +35,7 @@ This starter kit now packages the proof line, not just the kickoff gap, so the s
 - `scripts/sync-reviewer-handoff-baseline.sh` — keeps `latest-reviewer-handoff.md` aligned to the live PR head/base before state-change detection; polls GitHub mergeability before writing so the handoff does not regress to first-response `mergeability unknown` noise
 - `scripts/refresh-upstream-blocker-packet.sh` — one-command refresh that syncs the reviewer handoff, reruns the state-change detector, PR monitor, CI interpreter, and approval trigger together, then emits a consolidated blocker packet from the same live PR state; prints `UPSTREAM_BLOCKER_PACKET_UNCHANGED` when the blocker signature is materially identical to the previous latest packet so cron can distinguish revalidation from a real transition; unchanged runs restore prior `latest-*` files and delete just-created timestamped component artifacts so approval-wait cron passes do not dirty the workspace with no-movement files
 - `scripts/verify-unchanged-refresh-hygiene.sh` — proof harness for the external-wait loop breaker; snapshots canonical `latest-*` hashes and timestamped artifact names, runs the one-command refresh, and proves an unchanged blocker refresh leaves no local artifact churn behind
-- `scripts/validate-artifact-consistency.sh` — fail-closed consistency check that requires every canonical blocker artifact to record the same live head/base pair before the packet is trusted
+- `scripts/validate-artifact-consistency.sh` — fail-closed consistency check that requires the consolidated blocker packet plus every canonical component blocker artifact to record the same live head/base pair before the packet is trusted
 - `artifacts/latest-current-gap-report.md` — most recent proof packet emitted by the gap verifier
 - `artifacts/latest-broken-state-roundtrip.md` — canonical blocked-state proof packet with before/after doctor output
 - `artifacts/latest-pr-review-monitor.md` — canonical live review/merge monitor for PR `#14297`
diff --git a/starter-kits/delegation-readiness-doctor/artifacts/latest-validator-scope-hardening.md b/starter-kits/delegation-readiness-doctor/artifacts/latest-validator-scope-hardening.md
new file mode 100644
index 0000000000..6ceefda21d
--- /dev/null
+++ b/starter-kits/delegation-readiness-doctor/artifacts/latest-validator-scope-hardening.md
@@ -0,0 +1,41 @@
+# Delegation Readiness Doctor — Validator Scope Hardening
+
+Generated: 2026-04-23 21:57 CDT
+
+## Why this artifact exists
+The live upstream blocker stayed externally unchanged, so this block did not create another approval-wait status packet or repost the maintainer nudge. Instead, Hermes closed a local trust gap in the blocker-packet validator.
+
+## Gap found
+`validate-artifact-consistency.sh` checked the component artifacts but did not check the consolidated packet that recurring momentum blocks actually trust: `artifacts/latest-upstream-blocker-refresh.md`.
+
+That meant a future drift where the consolidated packet disagreed with the component artifacts could still pass the consistency check.
+
+## Correction made
+- Added `latest-upstream-blocker-refresh.md` to the validator's canonical artifact list.
+- Updated the starter-kit README so the validator contract now explicitly covers the consolidated blocker packet plus every canonical component artifact.
+
+## Verification
+Command:
+
+```bash
+bash -n starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh \
+  && bash starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh \
+  && bash starter-kits/delegation-readiness-doctor/scripts/verify-unchanged-refresh-hygiene.sh
+```
+
+Result:
+
+```text
+- latest-upstream-blocker-refresh.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-workflow-approval-state-change.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-pr-review-monitor.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-ci-result-interpreter.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-workflow-approval-trigger.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-workflow-approval-brief.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+
+CONSISTENT: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+UNCHANGED_REFRESH_HYGIENE_PROVED
+```
+
+## Current blocker after this correction
+Maintainer workflow approval / first real upstream CI movement remains the only external blocker for PR `#14297`. The maintainer nudge is already posted and should not be reposted unless the blocker signature changes materially.
diff --git a/starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh b/starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh
index 60fdbbc9fa..caa2fb56d6 100755
--- a/starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh
+++ b/starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh
@@ -12,6 +12,7 @@ from pathlib import Path
 
 artifacts_dir = Path(sys.argv[1])
 artifacts = [
+    'latest-upstream-blocker-refresh.md',
     'latest-workflow-approval-state-change.md',
     'latest-pr-review-monitor.md',
     'latest-ci-result-interpreter.md',