fix(api): fail closed on stale production runtime deploy readback

apps/api/tests/test_awoooi_production_deploy_readback_blocker.py

@@ -5,7 +5,7 @@ from src.services import awoooi_production_deploy_readback_blocker as service
 _COMMITTED_SNAPSHOT_SHA = "a70c6756d9e76c33143676eef82bab7a49ac1839"
 
 
-def test_production_deploy_readback_verifies_runtime_build_against_gitops_desired(
+def test_production_deploy_readback_blocks_stale_source_even_when_gitops_desired_matches_runtime(
     monkeypatch,
 ):
     build_sha = "0123456789abcdef0123456789abcdef01234567"
@@ -33,10 +33,13 @@ def test_production_deploy_readback_verifies_runtime_build_against_gitops_desire
     assert readback["desired_main_api_image_tag_sha"] == build_sha
     assert readback["desired_main_api_image_tag_source"] == "gitops_deployment_env"
     assert readback["desired_main_api_image_tag_readback_status"] == "ok"
-    assert readback["production_image_tag_matches_main"] is True
-    assert payload["status"] == "closure_verified"
-    assert rollups["production_image_tag_matches_main"] is True
-    assert rollups["hard_blocker_count"] == 0
+    assert readback["production_image_tag_matches_main"] is False
+    assert payload["status"] == "blocked_production_runtime_image_tag_not_verified"
+    assert rollups["production_image_tag_matches_main"] is False
+    assert rollups["hard_blocker_count"] == 1
+    assert "production_runtime_image_tag_does_not_match_gitea_main_desired_tag" in (
+        payload["blockers"]
+    )
 
 
 def test_production_deploy_readback_keeps_committed_snapshot_evidence(monkeypatch):