docs(validation): sharpen validation README front door

[raylee-hawkins]

Discovery sources reviewed

• README.md and public GitHub rendering for HawkinsOperations/hawkinsoperations-validation.
• validation/VALIDATION_REGISTRY.yml.
• activity/detection-activity-ledger-v1.md.
• validation/successor/ho-det-001/README.md and reports/ho-det-001/validation-result.md.
• docs/HO-DET-001_CLOSED_LOOP.md and validation/successor/ho-det-001/reproducible-proof/README.md.
• .github/workflows for governance, baseline validation, cross-repo parity, and HO-DET-001 proof-loop checks.
• Recent local commit history and open PR state.

Files changed

• README.md only.

Strongest validation receipts surfaced

• HO-DET-001 clone-runnable controlled public fixture pipeline.
• HO-DET-001 14/14 controlled validation result with 7 positives, 7 negatives, no missed positives, and no false-positive negatives.
• Validation registry with package verifier, parity, claim-boundary, proof-ceiling, and public-safe metadata.
• Detection Activity Ledger v1 with 49 controlled positive fixture matches, 57 controlled negative checks, and 106 total validation cases.
• Case-packet, AI authority boundary, result parity, Wazuh, Security Onion, AWS, identity, and HO-PIPE validation lanes.

Why this needed tightening

The old README led with one HO-DET-001 boundary block and an older hero-rule section, which made the repo look narrower than the current validation surface. This update moves behavior truth, reviewer commands, current receipts, and explicit boundaries above the fold.

Current validation boundary

This README presents validation truth only: controlled fixtures, deterministic verifiers, registry state, activity ledger counts, CI checks, and case-packet/AI-boundary checks. It does not claim runtime, signal, production, public-safe, or disposition authority.

Blocked claims preserved

Runtime-active, signal-observed, public-safe runtime proof, live Splunk/Wazuh/Cribl/AWS/Security Onion proof, FortiSIEM integration proven, production SOC, SOCaaS deployment, customer deployment, fleet-wide coverage, autonomous SOC, AI-decided disposition, AI-approved disposition, and analyst-approved disposition remain blocked or boundary-only.

Validation run

• git diff --check: pass.
• README local-link sanity: pass.
• private/local leakage scan on README: pass, no hits.
• blocked-claim context scan on README: pass, hits are negative, boundary-only, not-proven, or approval-gated.
• python -B scripts/verify_validation_registry.py: pass.
• python -B scripts/verify_all_validation_packages.py: pass.
• python -B scripts/verify_validation_contract.py: pass.
• python -B scripts/verify_wazuh_logtest_registry.py: pass.
• python -B scripts/run-ho-det-001-local-case-pipeline.py --check: pass.
• python -B -m unittest discover -s tests: pass when rerun with explicit repo test root because the escalated shell ignored the requested working directory.

Intentionally excluded

• No STATUS.md edit, even though it appears stale, because README can route around it and this PR stays front-door scoped.
• No reports, validation package files, workflows, proof repo, website repo, detections repo, or platform repo edits.
• Proof and website rendering were reviewed only for drift, not treated as validation authority.

[raylee-hawkins]

Validation boundary preserved: this PR updates README reviewer routing only. It uses existing receipts and does not promote runtime, public-safe, production, SOCaaS, autonomous SOC, AI-disposition, analyst-disposition, or live-signal claims.

Existing receipts used: HO-DET-001 local case pipeline, validation registry, detection activity ledger, HO-DET-001 validation report, case-packet and AI-boundary verifiers, result parity checks, Wazuh/Security Onion/AWS/identity/HO-PIPE validation lanes, and CI workflow routes.

Validation results: git diff --check passed; README local-link sanity passed; private/local leakage scan had no hits; blocked-claim context scan was boundary-only/negative/approval-gated; validation registry passed; all validation package checks passed; validation contract passed; Wazuh logtest registry passed; HO-DET-001 local case pipeline passed; unit tests passed with explicit repo test root because the escalated shell ignored the requested working directory.

Reviewer impact: README now shows behavior truth, strongest receipts, reviewer commands, and blocked claims above the fold without changing reports, workflows, proof records, or runtime status.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b2f51a6551

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[raylee-hawkins]

Blocker classification: UNRESOLVED_THREAD_REQUIRES_README_CHANGE. The unresolved Codex review thread correctly identified that the first reviewer command was presented as single-repo clone-safe even though the full HO-DET-001 local case pipeline depends on the adjacent detections source checkout/source contract.

README fix: separated the reviewer paths. The first path is now a single-repo public clone path using registry/package/contract commands. The full HO-DET-001 local case pipeline is now documented as a source-contract path requiring adjacent HawkinsOperations source repositories, especially ../hawkinsoperations-detections.

Single-repo-safe command now documented: python -B scripts/verify_all_validation_packages.py. HO-DET-001 single-repo validator command now documented: python -B scripts/validate-ho-det-001.py --source-contract skip-if-missing.

Full source-contract command documented: python -B scripts/run-ho-det-001-local-case-pipeline.py --check, with the adjacent source checkout requirement stated.

Files changed: README.md only. PR #65 still changes README.md only.

Validation run: git diff --check -- README.md passed; README local-link sanity passed; private/local leakage scan had no hits; blocked-claim scan remained negative/boundary-only/approval-gated; verify_validation_registry.py passed; verify_all_validation_packages.py passed; verify_validation_contract.py passed; verify_wazuh_logtest_registry.py passed; validate-ho-det-001.py --source-contract skip-if-missing passed; run-ho-det-001-local-case-pipeline.py --check passed with local adjacent source checkout; unittest discover passed with explicit repo test root.

GitHub checks: all current PR checks are passing on head 7a1eaca.

Claim boundary preserved: no runtime, proof, public-safe, production, SOCaaS, autonomous SOC, AI-disposition, analyst-disposition, live signal, or live SIEM/cloud claim was promoted.

Next human action: review PR #65, confirm the resolved command-thread fix, then provide MERGE_APPROVED when ready.