Require strict Context ABI hashes

Author: nshkrdotcom

support/context_abi_scanner/lib/stack_lab/context_abi_scanner.ex

@@ -535,7 +535,7 @@ defmodule StackLab.ContextABIScanner do
 
   defp non_empty_strings?(_values), do: false
 
-  defp sha256?("sha256:" <> digest), do: String.length(digest) == 64
+  defp sha256?("sha256:" <> digest), do: String.match?(digest, ~r/^[0-9a-f]{64}$/)
   defp sha256?(_value), do: false
 
   defp status([]), do: :pass

support/context_abi_scanner/test/stack_lab/context_abi_scanner_test.exs

@@ -51,6 +51,24 @@ defmodule StackLab.ContextABIScannerTest do
            )
   end
 
+  test "rejects non-hex sha256 refs" do
+    assert {:ok, receipt} =
+             ContextABIScanner.scan(%{
+               context_packets: [%{packet() | packet_hash: "sha256:" <> String.duplicate("z", 64)}],
+               context_compile_receipts: [compile_receipt()],
+               authority_grants: [grant()],
+               admission_receipts: [admission_receipt()],
+               route_decisions: [route_decision()],
+               render_results: [render_result()],
+               model_invocation_receipts: [model_receipt()],
+               appkit_projections: [%{context_packet_ref: packet().context_packet_ref}],
+               aitrace_facts: [%{trace_ref: packet().trace_ref}]
+             })
+
+    assert receipt.status == :open_defect
+    assert has_finding?(receipt, :context_packet_contract, {:invalid_sha256_ref, :packet_hash})
+  end
+
   test "rejects raw prompt and provider payload fields anywhere in the scan" do
     assert {:ok, receipt} =
              ContextABIScanner.scan(%{