ci(wave3): stub-sentinel detection step in tier3-container matrix

.github/workflows/container-ci.yml

@@ -179,6 +179,28 @@ jobs:
           podman run --rm --entrypoint /bin/sh "${{ matrix.image }}" \
             -c '${{ matrix.version_check }}'
 
+      # #75: the per-prover version_check above uses `|| true` for several
+      # backends because tools like metamath / hol4 / acl2 exit non-zero on
+      # quit. Side effect: a stub fallback (graceful-degrade on a dead
+      # upstream pin, see Containerfile.wave3 :: tamarin/proverif/scip/metamath)
+      # prints "<prover> not available (... failed at image build time)" and
+      # `|| true` swallows it. This step re-runs the check, captures the
+      # output verbatim, and fails LOUDLY on any stub sentinel — turning the
+      # silent degradation into a visible weekly red.
+      - name: Stub-sentinel detection (#75)
+        run: |
+          set +e
+          OUTPUT=$(podman run --rm --entrypoint /bin/sh "${{ matrix.image }}" \
+            -c '${{ matrix.version_check }}' 2>&1)
+          echo "--- version_check output ---"
+          echo "$OUTPUT"
+          echo "--- end ---"
+          if echo "$OUTPUT" | grep -qiE 'not available \(bundle install failed|not available \(build failed|not available \(source build failed|bundle install failed at image build time|build failed at image build time|source build failed at image build'; then
+            echo "::error file=.containerization/Containerfile.wave3::Stub sentinel detected in ${{ matrix.prover }} image. The upstream pin is broken and was masked by graceful fallback — bump the pin (#75)."
+            exit 1
+          fi
+          echo "OK: no stub sentinel for ${{ matrix.prover }}"
+
       - name: Verify image metadata
         run: |
           podman inspect "${{ matrix.image }}" \