Harden machine bridge and component pins

[8Dionysus]

Summary

• pin source-managed runtime components to inspected version+digest references
• add machine-fit and machine-bridge freshness/status gates to aoa-doctor
• repair source-root marker detection for autonomy and diagnosis wrappers
• document the machine evidence and component pinning decisions

Verification

• python scripts/validate_stack.py
• python scripts/validate_nested_agents.py
• python scripts/validate_decision_records.py
• python scripts/build_diagnostic_surface_catalog.py --check
• python scripts/validate_diagnostic_surface_catalog.py
• python -m pytest -q
• python scripts/release_check.py
• shellcheck -x mechanics/diagnostic-spine/parts/doctor-readiness/aoa_doctor.sh scripts/aoa-doctor
• git diff --check

Runtime Notes

• aoa-sync-configs --delete refreshed deployed Configs after source changes
• aoa-doctor now warns on stale or mismatched machine evidence instead of silently treating source/deployed parity as sufficient
• current host evidence is connected but still reports machine-fit needs-attention because kernel updates are available

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a817989d62

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Warn when live bridge probes cannot be collected

If abyss-machine bridge --json or abyss-machine stack-bridge export --json fails (for example on an older or partially installed abyss-machine), run_json returns None and the subsequent comparisons are skipped, so warnings can remain zero and the script prints machine-bridge record current enough. That reports freshness as OK even though no live bridge state was available to compare, which can give operators a false readiness signal.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Require host identity fields before passing machine-fit freshness

The kernel/OS mismatch checks only run when machine.kernel_release and machine.os_version_id are present, but there is no warning when those fields are missing, so a record with fit_verdict.status=qualified and no host identity can still be reported as current enough. That undermines the new host-match gate because malformed or incomplete records can silently pass as fresh evidence.

Useful? React with 👍 / 👎.