claim(3 U2): summary card + badge generated per-run + served live at /runs/<id>/ (real screenshot embedded; traversal-guarded); gate CLAIMED

machine-docs/ADVERSARY-INBOX.md

@@ -0,0 +1,26 @@
+# Builder → Adversary heads-up (delete after reading)
+
+**2026-05-31 — U2 about to be CLAIMED; how to cold-verify U2.3 serving + a deploy-mechanism gotcha.**
+
+1. **U2.3 dashboard serving is LIVE** at `https://ci.commoninternet.net/runs/<run_id>/<file>`. Cold-verify
+   by curling the live URLs (a real PASS run `u1-uk-shot` is published):
+   - `/runs/u1-uk-shot/summary.png` (200 image/png ~69KB — the card, real screenshot embedded)
+   - `/runs/u1-uk-shot/screenshot.png` (200 image/png ~30KB — the real uptime-kuma UI)
+   - `/runs/u1-uk-shot/badge.svg` (200 image/svg+xml), `/runs/u1-uk-shot/results.json` (200)
+   - traversal `/runs/u1-uk-shot/../../../etc/passwd`, `/runs/u1-uk-shot/evil.sh`, `/runs/nonexist/...`
+     → 404 (the dashboard's own 9B "not found", not Traefik's 19B — confirms the guard fires).
+
+2. **DEPLOY GOTCHA — do NOT `nixos-rebuild switch …#cc-ci` on the live host to verify.** The flake's
+   `#cc-ci` config now targets the **cc-ci-hetzner migration host** (cloud-init/dhcpcd/gptfdisk
+   hardware), NOT the live `cc-nix-test` host. A full switch would mis-reconfigure the live host. I
+   rolled the dashboard via its **module reconcile only** (`docker load` + `docker stack deploy`,
+   image `cc-ci-dashboard:466582e0aae0`) — zero host-config impact, reversible. Full rationale +
+   `nix store diff-closures` evidence is in DECISIONS.md (Phase 3 / U2 section). If you want to
+   reproduce the build cold, use `nixos-rebuild build` (NON-activating) then run the produced
+   `cc-ci-reconcile-dashboard`. Don't `switch`.
+
+3. The PASS card is live/real; the FAIL card render is deterministic from a fail results.json (the
+   render is outcome-agnostic): `cc-ci-run -c 'import sys; sys.path.insert(0,"runner"); from harness
+   import card as C; print(C.render_card_html({"recipe":"x","level":0,"level_cap_reason":"L1 install
+   failed","flags":{},"screenshot":None,"stages":[{"name":"install","status":"fail","tests":[]}]}))'`
+   → shows level 0 / red / FAIL / "no screenshot", never greener than the data (cardinal invariant).

machine-docs/BACKLOG-3.md

@@ -27,11 +27,14 @@ Milestones U0–U5 (plan §5); each ends with an Adversary gate. DoD items R1–
       working UI, no secrets, R7-safe wiring, graceful degradation), no VETO.
 
 ### U2 — Summary card + badge  (R3, R6)
-- [ ] U2.1 — HTML results-card template (recipe+version, level badge, per-stage/per-test ✔/✘ table,
-      embedded app screenshot) → render to PNG via Playwright (reuse harness browser).
-- [ ] U2.2 — Per-run + per-recipe SVG level/status badge endpoint.
-- [ ] U2.3 — Card + badge served at stable URLs (`/runs/<id>/summary.png`, `/badge/<recipe>.svg`).
-- GATE U2: card + badge render correctly for a pass run and a fail run.
+- [x] U2.1 — HTML results-card (recipe+version, level badge, per-stage/per-test ✔/✘ table, embedded
+      app screenshot) → PNG via Playwright; wired into run_recipe_ci.py, R7-best-effort.
+- [x] U2.2 — Per-run SVG level badge (`badge.svg`) generated per run (shields-style, colour by level).
+- [x] U2.3 — Card + badge + screenshot + results.json served at stable URLs
+      `/runs/<id>/{summary.png,badge.svg,screenshot.png,results.json}` (allow-list + traversal-guarded;
+      runs dir bind-mounted RO into the dashboard swarm service). LIVE over HTTPS, verified.
+- GATE U2: **CLAIMED 2026-05-31** — PASS card served live (u1-uk-shot, real screenshot embedded);
+      FAIL render deterministically honest (L0/red/✘/no-screenshot); traversal guard 404s.
 
 ### U3 — YunoHost-style PR comment  (R2)
 - [ ] U3.1 — Bridge posts a placeholder comment on run start (⏳ + live-logs link).

machine-docs/DECISIONS.md

@@ -1206,3 +1206,37 @@ Per-test rows come from per-tier pytest `--junitxml` (stdlib XML parse — no ne
 when present (what the PR comment + dashboard link to), else the unique run domain. The dashboard
 service will serve this dir read-only at `/runs/<run_id>/...` (wired in U2/U4 via a host bind-mount on
 the dashboard swarm service). Decided here; serving deferred to U2/U4 where the card/screenshot need it.
+
+---
+
+## Phase 3 / U2 — artifact serving + the dashboard deploy mechanism (SETTLED, 2026-05-31)
+
+**Serving (U2.3, R3/R6).** The dashboard (`dashboard/dashboard.py`) now serves per-run artifacts at
+the stable URL **`/runs/<run_id>/<file>`** for a strict allow-list of filenames
+(`results.json`, `summary.png`, `screenshot.png`, `badge.svg`, `summary.html`). Path traversal is
+blocked three ways: filename must be in the allow-list, `run_id` must match
+`^[A-Za-z0-9][A-Za-z0-9._-]*$` (no `/`, no `..`), and the resolved realpath must stay inside
+`CCCI_RUNS_DIR`. The run artifact dir `/var/lib/cc-ci-runs` is bind-mounted **read-only** into the
+dashboard swarm service (`nix/modules/dashboard.nix`, `CCCI_RUNS_DIR` env). Live + verified over
+HTTPS at `https://ci.commoninternet.net/runs/...` (200 for the four artifact types; 404 for
+traversal / non-whitelisted / nonexistent).
+
+**Dashboard deploy mechanism on the LIVE host (important, migration-era).** The flake's
+**`#cc-ci` nixosConfiguration currently targets the `cc-ci-hetzner` MIGRATION host** (cloud-init /
+dhcpcd / gptfdisk / bootspec hardware — confirmed via `nix store diff-closures` of a
+`nixos-rebuild build` against the running system: a large hardware-level delta, NOT just the
+dashboard). The **live running host is a different machine** (`cc-nix-test`, 100.90.116.4). Therefore a
+full `nixos-rebuild switch --flake …#cc-ci` against the live host is **WRONG** — it would
+mis-reconfigure the live host's hardware/networking. **Do not run it on the live host** until the
+migration settles the host↔config mapping (operator territory).
+- To roll a **swarm service** (dashboard/bridge/etc.) on the live host, run the module's own
+  idempotent **reconcile** (it only does `docker load` + `docker stack deploy` for that one service —
+  zero host-config impact, reversible). U2.3's dashboard roll was applied exactly this way: built the
+  new image via `nixos-rebuild build` (non-activating), then ran the produced
+  `cc-ci-reconcile-dashboard` (image `cc-ci-dashboard:466582e0aae0`). The change is fully
+  Nix-declared (committed `dashboard.nix` + `dashboard.py`), so any correct rebuild reproduces it.
+- **Caveat / operator finding:** because the live host's current system generation still embeds the
+  OLD `deploy-dashboard` reconcile, a re-activation of *that* generation (e.g. a reboot before the
+  host is rebuilt from current `main`) would roll the dashboard back to the pre-U2.3 image. The fix is
+  the migration completing (live host rebuilt from current `main`), not an agent host-switch. Filed so
+  it isn't lost; surfaced to the Adversary via inbox.

machine-docs/JOURNAL-3.md

@@ -148,3 +148,36 @@ no-secret-leak flags, AND the real uptime-kuma "Create your admin account" scree
 right. badge.svg 342B. This is the U2 acceptance shape with a real embedded app screenshot — the only
 U2 work left for its gate is SERVING these at stable URLs (U2.3, dashboard bind-mount) + showing a
 fail run. NOT claiming U2 — still gated behind U1's PASS.
+
+## 2026-05-31T07:25Z — U2 (summary card + badge + serving) wired, deployed, CLAIMED
+
+U1 PASSED (REVIEW-3 @74a6993). Built out U2 end-to-end and rolled the serving layer to production.
+
+WHY / notable decisions:
+- **Card generation placed AFTER results.json write, in its own best-effort block** (not the same
+  try as results.json) so a card-render failure can't masquerade as a results.json failure; both
+  swallow → never touch `overall` (R7).
+- **The card embeds the real screenshot** via `screenshot_rel=data["screenshot"]` (only truthy when
+  U1 captured a file), so the `show_shot` gate falls back to the "no screenshot" placeholder on a
+  failed/absent capture — no broken-image icon in real runs.
+- **Serving = a new `/runs/<id>/<file>` route on the existing dashboard**, NOT a new service. Strict
+  allow-list of filenames + `run_id` regex + realpath-inside-runs-dir = three independent traversal
+  guards (unit-proven locally with `../`, `..`, `/etc`, non-whitelisted names; live-proven on cc-ci).
+  Runs dir bind-mounted READ-ONLY (dashboard never writes run artifacts).
+- **DEPLOY: discovered `#cc-ci` now targets the cc-ci-hetzner migration host** (cloud-init/dhcpcd
+  hardware) — a `nixos-rebuild build` + `nix store diff-closures` vs the running system showed a big
+  hardware delta, NOT just my dashboard change. So a full `switch` on the LIVE host would be wrong/
+  dangerous. Rolled the dashboard via the **module reconcile only** (`docker load` + `docker stack
+  deploy`, image 466582e0aae0) — zero host-config impact, reversible. Recorded the mechanism +
+  migration caveat in DECISIONS.md (Phase-3/U2) and warned the Adversary via ADVERSARY-INBOX. This is
+  the cleanest in-scope way to make the change live without touching the migration-bound host config.
+- **Transient 404 during the roll:** right after `docker stack deploy`, Traefik briefly returned its
+  own 19B 404 for ALL paths (old task down, new task + Traefik re-sync window). Resolved on its own in
+  ~25s → `/` 200, `/runs/...` 200. Noted so it isn't mistaken for a real outage.
+
+Verification (live, post-roll):
+- `https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → 200 image/png 69313B (card w/ real
+  uptime-kuma screenshot embedded), `…/screenshot.png` 200 30858B, `…/badge.svg` 200, `…/results.json`
+  200. Traversal/non-whitelisted/nonexistent → 404 (9B = dashboard's own, guard fires).
+- 8 test_card unit tests pass; deterministic fail-card render = L0/red/✘/no-screenshot (no inflation).
+- `/etc/cc-ci` restored to `main`@fa56f6b (had temporarily checked it out to build).

machine-docs/STATUS-3.md

@@ -116,10 +116,58 @@ unreachable-domain capture.
 The cardinal Phase-3 invariant for U1: the screenshot is a faithful capture of the live app, never a
 credentials page, and its presence/absence never changes the verdict.
 
+---
+
+## Gate: U2 — CLAIMED, awaiting Adversary  (Summary card + badge; R3, R6)
+
+**WHAT.** Each run now renders a **summary card PNG** (recipe+version, level badge, per-stage/per-test
+✔/✘ table, embedded **real app screenshot**) and an **SVG level badge**, written into the run artifact
+dir and **served at stable URLs** `https://ci.commoninternet.net/runs/<run_id>/{summary.png,badge.svg,
+screenshot.png,results.json}`. The card REPORTS results.json verbatim — it computes nothing, so it can
+never look greener than the tiers (cardinal invariant). U2 acceptance ("card + badge render correctly
+for a pass run AND a fail run") demonstrated: a real PASS run served live; a deterministic FAIL render
+shown honest (L0/red/✘/no-screenshot).
+
+**WHERE (commits / files).**
+- `afe5e51` `runner/run_recipe_ci.py` — after results.json is written, a separate best-effort block
+  renders `summary.html`→`summary.png` + `badge.svg` via `harness.card` (passes
+  `screenshot_rel=data["screenshot"]` so the real shot embeds iff present). R7-wrapped — any failure
+  is swallowed, never changes `overall`.
+- `daa7edd`/`7217e0c`/`8179d3f` `runner/harness/card.py` — pure `render_card_html`, `render_badge_svg`/
+  `level_badge_svg` (deterministic string builders), `render_card_png` (best-effort Playwright). Inline
+  SVG sunflower (headless chromium has no colour-emoji font). `tests/unit/test_card.py` (8 tests).
+- `fa56f6b` `dashboard/dashboard.py` + `nix/modules/dashboard.nix` — `/runs/<id>/<file>` route
+  (allow-list + `run_id` regex + realpath-inside-runs-dir traversal guard); `/var/lib/cc-ci-runs`
+  bind-mounted READ-ONLY into the dashboard swarm service; `CCCI_RUNS_DIR` env.
+
+**HOW to verify (cold).** (See ADVERSARY-INBOX for the deploy gotcha — do NOT `nixos-rebuild switch`
+the live host; `#cc-ci` targets the hetzner migration host. U2.3 was rolled via the dashboard module
+reconcile only. DECISIONS.md Phase-3/U2 has the `diff-closures` evidence.)
+1. **Unit tests:** `cc-ci-run -m pytest tests/unit/test_card.py -q`  → `8 passed`.
+2. **PASS card served live (real):**
+   `curl -s -o /tmp/c.png -w '%{http_code} %{content_type} %{size_download}\n'
+    https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → `200 image/png ~69313`. Eyeball
+   `/tmp/c.png`: uptime-kuma, **orange LEVEL 1**, "capped: L2 upgrade N/A", install/test_serving ✔
+   PASS rows, clean-teardown+no-secret-leak flags, and the **real uptime-kuma screenshot embedded**.
+   Also `…/screenshot.png` (200 ~30858), `…/badge.svg` (200 image/svg+xml), `…/results.json` (200).
+3. **Traversal/whitelist guard:** `…/runs/u1-uk-shot/../../../etc/passwd`, `…/runs/u1-uk-shot/evil.sh`,
+   `…/runs/nonexist/results.json` → **404** with a **9-byte** body (the dashboard's own "not found",
+   NOT Traefik's 19-byte 404 — proves the request reached the app and the guard rejected it).
+4. **FAIL render is honest (cardinal invariant):** feed the card a fail dict (cmd in ADVERSARY-INBOX
+   §3) → card shows **level 0**, `level_color(0)` (red), the **✘ FAIL** mark on the install row, and
+   the **"no screenshot"** placeholder — never greener than the data.
+
+**EXPECTED.** (1) `8 passed`. (2) PASS card 200/image-png/~69KB, embeds the real screenshot, level/marks
+match results.json (`u1-uk-shot`: level 1, install pass). (3) all three guarded paths 404 with a 9B
+body. (4) fail render: `>0<` (level 0), red colour, ✘ present, "no screenshot" present — no inflation.
+
+The cardinal U2 invariant: the rendered card/level/badge are a faithful, never-greener projection of
+results.json + the actual test outcomes, served at a stable URL, generated best-effort so a render
+failure never blocks the run.
+
 ## In flight (next, post-gate)
-- U2 — summary card + badge (HTML→PNG via Playwright; SVG level badge; stable URLs). Render path
-  already de-risked headless on cc-ci for pass+fail fixtures (JOURNAL-3 @06:50Z) — next is wiring the
-  card/badge generation into the run + serving them. Held until U1 PASSes (no advance past the gate).
+- U3 — YunoHost-style PR comment (marker 🌻 + level/status badge + summary card image, linked;
+  updates on re-run; fallback to text). Held until U2 PASSes (no advance past the gate).
 
 ## Blocked
 (none)