diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 1afdefa..9a1b5c8 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -18,8 +18,24 @@ jobs:
 
       - name: Reject manual dist edits in PR
         run: |
-          git fetch --no-tags --prune --depth=1 origin "${{ github.base_ref }}"
-          CHANGED="$(git diff --name-only "origin/${{ github.base_ref }}"...HEAD)"
+          BASE_SHA="${{ github.event.pull_request.base.sha }}"
+          HEAD_SHA="${{ github.event.pull_request.head.sha }}"
+
+          # Try to make both SHAs available locally; base is always in origin,
+          # head may come from a fork and may already be present via checkout.
+          git fetch --no-tags --prune --depth=1 origin "${BASE_SHA}" || true
+          git fetch --no-tags --prune --depth=1 origin "${HEAD_SHA}" || true
+
+          if git cat-file -e "${BASE_SHA}^{commit}" 2>/dev/null && git cat-file -e "${HEAD_SHA}^{commit}" 2>/dev/null; then
+            CHANGED="$(git diff --name-only "${BASE_SHA}" "${HEAD_SHA}")"
+          elif git rev-parse HEAD^1 >/dev/null 2>&1 && git rev-parse HEAD^2 >/dev/null 2>&1; then
+            # Fallback for PR merge refs checked out by actions/checkout.
+            CHANGED="$(git diff --name-only HEAD^1 HEAD^2)"
+          else
+            echo "Unable to compute changed files for this pull request."
+            exit 1
+          fi
+
           echo "$CHANGED"
           if echo "$CHANGED" | grep -q '^dist/'; then
             echo "Do not edit dist/ in pull requests."
diff --git a/README.md b/README.md
index d89a136..071cbd9 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,4 @@
+![](assets/maf.png)
 # Machine Authority Failure Taxonomy (MAF)
 
 MAF is a framework for evaluating machine-authority risk in infrastructure.
diff --git a/assets/maf.png b/assets/maf.png
new file mode 100644
index 0000000..82352dc
Binary files /dev/null and b/assets/maf.png differ