Wave-3: brittle upstream version pins need periodic verification (graceful stubs now hide drift)

[hyperpolymath]

Tracked follow-up split out of PR #73. PR #73 made every Wave-3 target build
gracefully (stub/empty-export on a failed download instead of hard-failing
the image). Side effect: a dead upstream URL/version now silently degrades
the backend instead of loudly failing — so these pins need periodic
verification (ideally a CI smoke that asserts the real binary, not the stub).

Targets — exact location where each upstream is addressed

All in .containerization/Containerfile.wave3:

Backend	ARG	Upstream resource	Observed
Poly/ML (hol4)	POLYML_VERSION=5.9.1	github.com/polyml/polyml tag tarball	release-asset URL 404'd → #73 switched to tag archive + fallback
OR-Tools	ORTOOLS_VERSION=9.12	github.com/google/or-tools release or-tools_amd64_debian-12_cpp_v9.12.tar.gz	download failed in test → needs version/URL re-validation
SCIP	SCIP_VERSION=9.2.2	scipopt.org SCIPOptSuite-9.2.2-Linux-debian.bookworm.deb	PASSED in test (valid as of now) — verify on drift
ACL2	ACL2_VERSION=8.6	github.com/acl2/acl2 tag	PASSED — verify on drift
Tamarin	TAMARIN_VERSION=1.8.0	tamarin-prover releases linux64 tarball	PASSED — verify on drift

Action

• Bump each ARG to a currently-valid upstream version when it drifts.
• Consider a weekly CI assertion that --version/-help returns the real
  prover, failing if the stub sentinel string is present.

Refs #53.

[hyperpolymath]

Verification pass run 2026-05-30. Three pins bumped via #156 (Poly/ML 5.9.1→5.9.2, OR-Tools 9.12→9.15, ACL2 8.6→8.7); SCIP 10.0.2 and Tamarin 1.12.0 are at latest; HOL4 trindemossen-2 is at latest. All five asset URLs HEAD-resolved before bumping — no dead-URL stub-degradation was masking drift at this snapshot.

Remaining ask from this issue: the CI smoke that asserts the real binary (e.g. --version parsed for a non-sentinel string) is the bigger lift and is not in #156. That can be filed as a follow-on if you want it tracked separately, or addressed by a second pass on this issue.

[hyperpolymath]

Second half shipped in #157 — adds a `Stub-sentinel detection` step to the existing `tier3-container` matrix in `container-ci.yml`. Re-runs each cell's `version_check`, captures output, fails loudly on the known sentinel patterns (`not available (bundle install failed` / `(build failed` / `(source build failed` / generic `*failed at image build time`). `continue-on-error: true` preserved so it stays informational rather than a merge gate, matching the rest of the job.

With #156 (pin bumps) + #157 (stub smoke) both armed, the two asks in this issue are addressed. Suggest leaving open until both land + the next weekly cron run shows the new step appearing across all 8 matrix cells. Then closeable.