Add umbrella validation entry point

tests/failure-path/MATRIX.md

@@ -7,6 +7,7 @@ This document defines the systematic test coverage for pairing and authenticatio
 - ✅ = Test implemented
 - 🔄 = Test stub exists, needs implementation
 - ⬜ = Not yet implemented
+- ⏸ = Deferred / intentionally out of v1 scope
 - 🔴 = Critical path, high priority
 
 ---
@@ -35,7 +36,7 @@ This document defines the systematic test coverage for pairing and authenticatio
 | AF-01 | Unknown identifier | Auth from unpaired client | `auth_failed(unknown_identifier)` | ✅ |
 | AF-02 | Not paired | Auth before pairing complete | `auth_failed(not_paired)` | ✅ |
 | AF-03 | Invalid signature | Wrong private key used | `auth_failed(invalid_signature)` | ✅ |
-| AF-04 | Wrong secret | Client has outdated secret | `auth_failed(invalid_secret)` | ⬜ |
+| AF-04 | Wrong secret | Client has outdated secret | 当前实现将其并入 `auth_failed(invalid_signature)`；`invalid_secret` 语义保留待后续确认 | ⏸ |
 | AF-05 | Stale timestamp | Proof timestamp >10s old | `auth_failed(stale_timestamp)` | ✅ |
 | AF-06 | Future timestamp | Proof timestamp in future | `auth_failed(future_timestamp)` | ✅ |
 | AF-07 | Nonce collision | Reused nonce within window | `auth_failed(nonce_collision)` → `re_pair_required` 🔴 | ✅ |
@@ -52,8 +53,8 @@ This document defines the systematic test coverage for pairing and authenticatio
 |----|----------|-------|---------------|---------------|--------|
 | RP-01 | Nonce collision | Replay attack detected | Clear secret, reset state | Enter `pair_required` | ✅ |
 | RP-02 | Rate limit exceeded | Brute force detected | Clear secret, reset state | Enter `pair_required` | ✅ |
-| RP-03 | Admin-initiated | Manual revocation | Mark revoked, notify | Enter `pair_required` | ⬜ |
-| RP-04 | Key rotation | Client sends new public key | Update key, keep secret | Continue with new key | ⬜ |
+| RP-03 | Admin-initiated | Manual revocation | Mark revoked, notify | Enter `pair_required` | ⏸ |
+| RP-04 | Key rotation | Client sends new public key | Update key, keep secret | Continue with new key | ⏸ |
 
 ---
 
@@ -132,10 +133,23 @@ npm test -- failure-paths
 
 ### Current Notes
 
-- AF-04 (`invalid_secret`) 仍未单独覆盖：现有实现把“错误 secret 导致的验签失败”统一落到 `invalid_signature`，是否拆分错误码仍待确认。
-- RP-04（key rotation）当前仍视为 v2+ 议题；v1 尚未承诺“无重配对换 key”语义，因此暂不强行补测试。
+- AF-04 (`invalid_secret`) 目前明确按 v1 语义并入 `invalid_signature`，不再单独视为未完成缺口；若后续要保留独立错误码，需要先同步更新协议与实现。
+- RP-03（管理员主动撤销）与 RP-04（key rotation）继续作为 v2+ 议题保留，不阻塞当前 v1 交付判断。
 - 本轮已补齐 AF-01/02/03/05/06/09/10/11、RP-01/02、CF-01/02/03/04/05/07、HF-01/02、PF-08/09/10、SR-01/02/03/04/05/06。
 
+### Umbrella Validation Entry Point
+
+在 umbrella 仓库根目录可运行：
+
+```bash
+./scripts/validate-v1.sh
+```
+
+它会顺序执行：
+- `Yonexus.Protocol` 测试
+- `Yonexus.Server` 类型检查 + 测试
+- `Yonexus.Client` 类型检查 + 测试
+
 ### Adding New Test Cases
 
 1. Add row to appropriate table above