QVAC-18612 test[notask]: validate merged label-gate fan-out (will be closed)

[Proletter]

Purpose

Runtime validation of the merged PR #2023 (label-gate fan-out). This PR will be closed without merging after the validation matrix passes.

What this PR triggers

Trivial README appends to:

• packages/embed-llamacpp/README.md → triggers on-pr-embed-llamacpp.yml
• packages/llm-llamacpp/README.md → triggers on-pr-llm-llamacpp.yml
• packages/sdk/README.md → triggers on-pr-test-sdk.yml, pr-checks-sdk-pod.yml, pr-validation-sdk-pod.yml

Validation matrix (mirrors qvac-internal#12)

#	Scenario	Expected
1	PR opened, no verified label	label-gate jobs report authorised=false; downstream secret-bearing jobs SKIPPED
2	verified label applied by trusted maintainer (Olutest, member of qvac-internal-{dev,merge,release})	label-gate jobs report authorised=true; downstream gated jobs RUN; no caller-cap validation errors (the #1997 failure mode)
3	(Implicit) Reusable callees (integration-test-llm-llamacpp.yml, integration-test-embed-llamacpp.yml, etc.) execute via if: needs.label-gate.outputs.authorised == 'true' from caller	Reusable invocations succeed

If all three pass, this validates the architectural fix shipped in #2023.

Refs: QVAC-18612.

Made with Cursor

[Proletter]

✅ Validation complete — label-gate works in production

Phase 1: PR opened, no verified label

Workflow	label-gate result	Downstream gated jobs
On PR Trigger (LLM) (run)	authorised=false ('verified' label is not currently applied to PR #2048)	SKIPPED ✓
On PR Trigger (Embed) (run)	authorised=false	SKIPPED ✓
Build and Publish QVAC SDK (run)	authorised=false	SKIPPED ✓
QVAC Tests (sdk) - PR (run)	authorised=false	SKIPPED ✓

20 secret-bearing jobs correctly skipped. Zero caller-cap validation errors.

Phase 2: verified label applied by trusted maintainer

Workflow	label-gate result	Reusable callees
On PR Trigger (LLM) (run)	authorised=true (label applier 'Proletter' is trusted (member of 'tetherto/qvac-internal-dev'))	cpp-lint, cpp-tests (4 platforms), prebuild (9 platforms) — all started, queued for self-hosted runners
On PR Trigger (Embed) (run)	authorised=true	Same — all started ✓
Build and Publish QVAC SDK (run)	authorised=true	build reusable started ✓

Other gated jobs that don't need self-hosted runners completed successfully: ts-checks, verify-fabric-lockstep, sanity-checks.

Critical proof: the #1997 failure mode is fixed

Reusable workflow invocations like cpp-lint, cpp-tests, prebuild, build are visible as jobs in the runs (queued for runners). This proves:

1. The workflow file passed GitHub's caller-cap validation.
2. The reusable callees were successfully started by the gated caller.
3. No Error calling workflow ... The nested job 'label-gate' is requesting 'pull-requests: write', but is only allowed 'pull-requests: none' errors anywhere.

This is the exact failure mode that broke #1997 on test PR #2017. The architectural fix shipped in #2023 (caller-gates-callee, reusable callees byte-identical to main) holds in production.

Bonus: label was NOT stripped

verified label still applied on this PR after Phase 2. Confirms my user (Proletter via team qvac-internal-dev) is recognised as trusted — the unauthorised-applier strip path was correctly not triggered.

---

Closing this PR — pure validation, no changes intended for main.

[github-actions]

Tier-based Approval Status

**PR Tier:** TIER1

**Current Status:** ❌ PENDING

**Requirements:**
- 1 Team Member approval ❌ (0/1)
- 1 Team Lead OR Management approval ❌ (0/1)



---
*This comment is automatically updated when reviews change.*