chore: harden blocker packet validator scope

2026-05-08 03:01:47 +00:00 · 2026-04-23 22:00:13 -05:00 · 2026-04-23 22:00:13 -05:00 · 25c536c669
commit 25c536c669
parent 25d371dbe2
3 changed files with 43 additions and 1 deletions
--- a/starter-kits/delegation-readiness-doctor/README.md
+++ b/starter-kits/delegation-readiness-doctor/README.md
@ -35,7 +35,7 @@ This starter kit now packages the proof line, not just the kickoff gap, so the s
 - `scripts/sync-reviewer-handoff-baseline.sh` — keeps `latest-reviewer-handoff.md` aligned to the live PR head/base before state-change detection; polls GitHub mergeability before writing so the handoff does not regress to first-response `mergeability unknown` noise
 - `scripts/refresh-upstream-blocker-packet.sh` — one-command refresh that syncs the reviewer handoff, reruns the state-change detector, PR monitor, CI interpreter, and approval trigger together, then emits a consolidated blocker packet from the same live PR state; prints `UPSTREAM_BLOCKER_PACKET_UNCHANGED` when the blocker signature is materially identical to the previous latest packet so cron can distinguish revalidation from a real transition; unchanged runs restore prior `latest-*` files and delete just-created timestamped component artifacts so approval-wait cron passes do not dirty the workspace with no-movement files
 - `scripts/verify-unchanged-refresh-hygiene.sh` — proof harness for the external-wait loop breaker; snapshots canonical `latest-*` hashes and timestamped artifact names, runs the one-command refresh, and proves an unchanged blocker refresh leaves no local artifact churn behind
- `scripts/validate-artifact-consistency.sh` — fail-closed consistency check that requires every canonical blocker artifact to record the same live head/base pair before the packet is trusted
+- `scripts/validate-artifact-consistency.sh` — fail-closed consistency check that requires the consolidated blocker packet plus every canonical component blocker artifact to record the same live head/base pair before the packet is trusted
 - `artifacts/latest-current-gap-report.md` — most recent proof packet emitted by the gap verifier
 - `artifacts/latest-broken-state-roundtrip.md` — canonical blocked-state proof packet with before/after doctor output
 - `artifacts/latest-pr-review-monitor.md` — canonical live review/merge monitor for PR `#14297`
--- a/starter-kits/delegation-readiness-doctor/artifacts/latest-validator-scope-hardening.md
+++ b/starter-kits/delegation-readiness-doctor/artifacts/latest-validator-scope-hardening.md
@ -0,0 +1,41 @@
+# Delegation Readiness Doctor — Validator Scope Hardening
+
+Generated: 2026-04-23 21:57 CDT
+
+## Why this artifact exists
+The live upstream blocker stayed externally unchanged, so this block did not create another approval-wait status packet or repost the maintainer nudge. Instead, Hermes closed a local trust gap in the blocker-packet validator.
+
+## Gap found
+`validate-artifact-consistency.sh` checked the component artifacts but did not check the consolidated packet that recurring momentum blocks actually trust: `artifacts/latest-upstream-blocker-refresh.md`.
+
+That meant a future drift where the consolidated packet disagreed with the component artifacts could still pass the consistency check.
+
+## Correction made
+- Added `latest-upstream-blocker-refresh.md` to the validator's canonical artifact list.
+- Updated the starter-kit README so the validator contract now explicitly covers the consolidated blocker packet plus every canonical component artifact.
+
+## Verification
+Command:
+
+```bash
+bash -n starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh \
+  && bash starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh \
+  && bash starter-kits/delegation-readiness-doctor/scripts/verify-unchanged-refresh-hygiene.sh
+```
+
+Result:
+
+```text
+- latest-upstream-blocker-refresh.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-workflow-approval-state-change.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-pr-review-monitor.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-ci-result-interpreter.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-workflow-approval-trigger.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+- latest-workflow-approval-brief.md: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+
+CONSISTENT: head=25d371dbe2cfe9d466e3b344028265ec36b782c9 | base=6fdbf2f2d76cf37393e657bf37ceda3d84589200
+UNCHANGED_REFRESH_HYGIENE_PROVED
+```
+
+## Current blocker after this correction
+Maintainer workflow approval / first real upstream CI movement remains the only external blocker for PR `#14297`. The maintainer nudge is already posted and should not be reposted unless the blocker signature changes materially.
--- a/starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh
+++ b/starter-kits/delegation-readiness-doctor/scripts/validate-artifact-consistency.sh
@ -12,6 +12,7 @@ from pathlib import Path

 artifacts_dir = Path(sys.argv[1])
 artifacts = [
+    'latest-upstream-blocker-refresh.md',
    'latest-workflow-approval-state-change.md',
    'latest-pr-review-monitor.md',
    'latest-ci-result-interpreter.md',