diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index e6e9cfa..7935782 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -1,6 +1,7 @@
 name: validate
 
 on:
+  workflow_dispatch:
   push:
     branches: [main]
   pull_request:
@@ -9,10 +10,15 @@ on:
 permissions:
   contents: read
 
+concurrency:
+  group: validate-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   validate:
-    name: Validate contracts, examples, CLI, and formula
+    name: Validate contracts, examples, CLI, formula, and docs
     runs-on: ubuntu-latest
+    timeout-minutes: 10
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
@@ -21,9 +27,29 @@ jobs:
         uses: actions/setup-python@v5
         with:
           python-version: '3.12'
+          cache: pip
+          cache-dependency-path: requirements-dev.txt
+
+      - name: Show tool versions
+        run: |
+          python --version
+          ruby --version
+          make --version
 
       - name: Install validation dependencies
         run: python -m pip install --upgrade pip -r requirements-dev.txt
 
       - name: Run repo validation
         run: make validate
+
+      - name: Write validation summary
+        if: always()
+        run: |
+          {
+            echo "## Agent Machine validation"
+            echo
+            echo "- commit: $GITHUB_SHA"
+            echo "- event: $GITHUB_EVENT_NAME"
+            echo "- canonical command: \`make validate\`"
+            echo "- result: ${{ job.status }}"
+          } >> "$GITHUB_STEP_SUMMARY"
diff --git a/Makefile b/Makefile
index 0864928..3547f96 100644
--- a/Makefile
+++ b/Makefile
@@ -3,6 +3,7 @@
 PYTHON ?= python3
 RUBY ?= ruby
 CLI := bin/agent-machine
+BOOTSTRAP_CLI := sh $(CLI)
 FORMULA := packaging/homebrew/Formula/agent-machine.rb
 LOCAL_AGENTPOD := examples/local-podman-llama-cpp.agent-pod.json
 K8S_AGENTPOD := examples/k8s-topolvm.agent-pod.json
@@ -39,9 +40,9 @@ validate-render:
 	$(PYCLI) render receipt $(K8S_AGENTPOD) --artifact-path /tmp/agent-machine-pycli-k8s-agentpod-plan.json --pretty >/tmp/agent-machine-pycli-k8s-deployment-receipt.json
 	$(PYCLI) render quadlet $(LOCAL_AGENTPOD) --compare $(LOCAL_QUADLET)
 	$(PYCLI) render k8s $(K8S_AGENTPOD) --compare $(K8S_MANIFEST)
-	$(CLI) render plan $(LOCAL_AGENTPOD) --pretty >/tmp/agent-machine-bootstrap-local-agentpod-plan.json
-	$(CLI) render quadlet $(LOCAL_AGENTPOD) --compare $(LOCAL_QUADLET)
-	$(CLI) render k8s $(K8S_AGENTPOD) --compare $(K8S_MANIFEST)
+	$(BOOTSTRAP_CLI) render plan $(LOCAL_AGENTPOD) --pretty >/tmp/agent-machine-bootstrap-local-agentpod-plan.json
+	$(BOOTSTRAP_CLI) render quadlet $(LOCAL_AGENTPOD) --compare $(LOCAL_QUADLET)
+	$(BOOTSTRAP_CLI) render k8s $(K8S_AGENTPOD) --compare $(K8S_MANIFEST)
 
 validate-evidence:
 	$(PYTHON) scripts/validate-evidence.py
@@ -53,18 +54,17 @@ validate-activation:
 	$(PYTHON) scripts/validate-activation.py
 	$(PYTHON) scripts/evaluate-activation.py $(LOCAL_AGENTPOD) $(READY_POLICY) $(READY_GRANT) --deployment-receipt-id $(DEPLOYMENT_RECEIPT_ID) --storage-receipt-dir $(RECEIPT_DIR) --decided-at $(DECIDED_AT) --decision-id urn:srcos:agent-machine:activation-decision:local-llama-cpp-allowed --pretty >/tmp/agent-machine-evaluate-activation-allowed.json
 	$(PYCLI) activate evaluate $(LOCAL_AGENTPOD) $(FAIL_POLICY) $(FAIL_GRANT) --deployment-receipt-id $(DEPLOYMENT_RECEIPT_ID) --storage-receipt-dir $(RECEIPT_DIR) --decided-at $(DECIDED_AT) --decision-id urn:srcos:agent-machine:activation-decision:local-llama-cpp-fail-closed --pretty >/tmp/agent-machine-pycli-evaluate-activation-fail-closed.json
-	$(CLI) activate evaluate $(LOCAL_AGENTPOD) $(READY_POLICY) $(READY_GRANT) --deployment-receipt-id $(DEPLOYMENT_RECEIPT_ID) --storage-receipt-dir $(RECEIPT_DIR) --decided-at $(DECIDED_AT) --decision-id urn:srcos:agent-machine:activation-decision:local-llama-cpp-allowed --pretty >/tmp/agent-machine-bootstrap-evaluate-activation-allowed.json
+	$(BOOTSTRAP_CLI) activate evaluate $(LOCAL_AGENTPOD) $(READY_POLICY) $(READY_GRANT) --deployment-receipt-id $(DEPLOYMENT_RECEIPT_ID) --storage-receipt-dir $(RECEIPT_DIR) --decided-at $(DECIDED_AT) --decision-id urn:srcos:agent-machine:activation-decision:local-llama-cpp-allowed --pretty >/tmp/agent-machine-bootstrap-evaluate-activation-allowed.json
 
 validate-package:
 	$(PYTHON) scripts/validate-package.py
 
 validate-cli:
 	sh -n $(CLI)
-	chmod +x $(CLI)
-	$(CLI) version
-	$(CLI) paths
-	$(CLI) doctor --format json
-	$(CLI) probe --format json
+	$(BOOTSTRAP_CLI) version
+	$(BOOTSTRAP_CLI) paths
+	$(BOOTSTRAP_CLI) doctor --format json
+	$(BOOTSTRAP_CLI) probe --format json
 	$(PYCLI) version
 	$(PYCLI) paths --format json
 	$(PYCLI) doctor --format json
@@ -74,7 +74,7 @@ validate-formula:
 	$(RUBY) -c $(FORMULA)
 
 doctor:
-	$(CLI) doctor --format json
+	$(BOOTSTRAP_CLI) doctor --format json
 
 probe:
-	$(CLI) probe --format json
+	$(BOOTSTRAP_CLI) probe --format json