From 778b57724a46c5bf4ce11d179b5f1c18e68537ed Mon Sep 17 00:00:00 2001
From: autonomic-bot <autonomic-bot@git.autonomic.zone>
Date: Sun, 31 May 2026 09:52:39 +0000
Subject: [PATCH] =?UTF-8?q?review(3=20U3):=20PASS=20=E2=80=94=20YunoHost?=
 =?UTF-8?q?=20PR=20comment=20cold-verified=20(R2);=20update-in-place=20rep?=
 =?UTF-8?q?roduced=20on=20my=20own=20!testme=20(run4=E2=86=927,=20comment?=
 =?UTF-8?q?=2013792=20never=20stacked),=20no=20inflation,=20no=20secrets?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 machine-docs/REVIEW-3.md | 68 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/machine-docs/REVIEW-3.md b/machine-docs/REVIEW-3.md
index 8c424a3..491b71a 100644
--- a/machine-docs/REVIEW-3.md
+++ b/machine-docs/REVIEW-3.md
@@ -7,7 +7,7 @@ JOURNAL-3.md / BACKLOG-3.md `## Build backlog`. I own this file + BACKLOG-3.md `
 ## Definition of Done (Phase 3) — R1–R8, each to be Adversary cold-verified within 24h
 - [x] **R1 — Level ladder.** Documented ladder (§4.1) maps passed test sets → one integer level per
       run; a missing lower rung caps the level (YunoHost semantics). **COLD-VERIFIED @U0 07:05Z.**
-- [ ] **R2 — Image-forward PR comment.** `!testme` posts/updates a Gitea PR comment: marker (🌻) +
+- [x] **R2 — Image-forward PR comment.** `!testme` posts/updates a Gitea PR comment: marker (🌻) +
       status/level badge + summary image, both linking to run/dashboard; re-run updates same comment.
 - [ ] **R3 — Summary card image.** Per-run PNG: recipe+version, level, per-stage/per-test ✔/✘
       breakdown, embedded deployed-app screenshot; stable URL; in comment + dashboard.
@@ -25,7 +25,7 @@ JOURNAL-3.md / BACKLOG-3.md `## Build backlog`. I own this file + BACKLOG-3.md `
 - [x] U0 — Results schema + level (results.json per-stage/per-test; level correct for L4-pass & L2-cap). **PASS @07:05Z.**
 - [x] U1 — App screenshot (real, post-login, secret-safe). **PASS @07:15Z.**
 - [x] U2 — Summary card + badge (HTML→PNG; level/✔✘/screenshot; SVG badge; stable URLs; pass+fail). **PASS @07:48Z.**
-- [ ] U3 — YunoHost-style PR comment (marker+badge+card, linked; updates on re-run; no secrets).
+- [x] U3 — YunoHost-style PR comment (marker+badge+card, linked; updates on re-run; no secrets). **PASS @09:51Z.**
 - [ ] U4 — Dashboard polish (grid mirrors underlying results across several runs).
 - [ ] U5 — Badges + docs + hardening (leak scan clean; renderer-kill degrades to text; flip DONE).
 
@@ -358,3 +358,67 @@ U3 feature `9a47aa2` but has not yet `claim(`-ed the U3 gate).
 **A3-1 closed.** No open Adversary findings. No VETO. Idle until U3 is claimed (watchdog will ping on
 the first `claim(3 U3...)`); will cold-verify U3 (R2 image-forward comment, no-secrets, re-run-updates)
 on claim.
+
+### @2026-05-31T09:51Z — U3 GATE: PASS (YunoHost-style PR comment; R2) — COLD-VERIFIED
+Claim `c7b5dc0 claim(3 U3)`. Verified cold from my own clone + the VM + a self-posted `!testme`.
+Formed this verdict WITHOUT reading JOURNAL-3 (anti-anchoring); inbox artifact-map consumed @67ed6bf.
+
+**1. Deployed code == committed source (closes the trust loop).**
+- `sha256(bridge/bridge.py)` first-12 in MY clone @67ed6bf = `6377f9571f3b` == host
+  `/etc/cc-ci/bridge/bridge.py` == swarm service image tag `cc-ci-bridge:6377f9571f3b`
+  (`ccci-bridge_app`, 1/1). The live bridge IS the claimed source; `bridge.py` last touched in `9a47aa2`. ✔
+
+**2. Unit tests (cold, cc-ci devshell):** `cc-ci-run -m pytest tests/unit/test_bridge_trigger.py
+tests/unit/test_card.py -q` → **15 passed** (placeholder shape, image-forward result, text-fallback,
+marker find/update-in-place). ✔
+
+**3. Live YunoHost-shaped comment (R2).** PR `recipe-maintainers/custom-html` #2, marked comment
+**13792** (`<!-- cc-ci:testme -->`): 🌻 + ``custom-html @ db9a9502 ✅ passed`` +
+`[![cc-ci result card](…/runs/N/summary.png)](…/cc-ci/N)` + `[![level](…/runs/N/badge.svg)](…/cc-ci/N)`
++ full-logs + dashboard links. Marker present, both images linked to the run, no verbose inline table
+— mirrors the YunoHost shape (plan §3). ✔
+
+**4. CARDINAL — updates-in-place on re-run, COLD-REPRODUCED (not trusting the Builder's #3/#4 demo).**
+I posted my OWN `!testme` (trigger comment 13794 @09:49:15Z). Before: 13792 `updated_at=09:42:59Z`,
+links `/runs/4`. After: a real build #7 ran (real granular per-test timings, incl.
+`test_restore_healthy=20173ms` — not a short-circuit), the bridge **edited the SAME comment 13792 in
+place** (`updated_at→09:50:40Z`, links now `/runs/7`). **Marked-comment set stayed exactly `[13792]`
+throughout** (19 total comments on the PR, maxid grew, but **zero new marked comments stacked**).
+One comment per PR, refreshed in place — R2 satisfied cold. ✔
+(I did not catch the ⏳ placeholder live — build #7 completed within one poll cycle — but it is
+unit-covered and was shown in the Builder's #3→#4 demo; not a gate concern.)
+
+**5. NO INFLATION (make-or-break) — card/badge vs raw run-7 results.json.**
+`/runs/7/results.json`: `recipe=custom-html`, `version=db9a95024e9d`, `level=4`,
+`cap="L5 integration (SSO/OIDC + cross-app) N/A"`, all five tiers (install/upgrade/backup/restore/custom)
+`pass`, rungs install/upgrade/backup_restore/functional=pass, integration/recipe_local=na,
+`flags={clean_teardown:true,no_secret_leak:true}`, `screenshot=screenshot.png`.
+Eyeballed served `/runs/7/summary.png` (1800×858): custom-html · db9a95024e9d · 🌻 · **green LEVEL 4** ·
+"capped: L5 integration … N/A" · every stage **PASS** with per-test rows whose ms **match results.json
+exactly** (test_serving 100, …, test_restore_healthy 20173, …) · ✔ clean teardown · ✔ no secret leak ·
+real embedded nginx screenshot. Badge text `"cc-ci level 4"`. **Card == data, never greener.** ✔
+(Gap-cap correct: functional passes but integration N/A → capped at L4, not inflated to L5/L6.)
+
+**6. NO SECRETS (R7).** Scan of comment 13792 body + `/runs/{3,4,7}/results.json` for
+`password|secret|token|passwd|api_key|privkey|PRIVATE|BEGIN` → only `no_secret_leak` flag-name matches
+(**CLEAN**). Embedded app screenshot (run 4 & 7) is custom-html's **"Welcome to nginx!"** page — no
+credential values (eyeballed both summary cards + the standalone screenshot.png). ✔
+
+**7. Artifacts served (R3 "in comment" sub-req).** `/runs/7/{summary.png(179646),badge.svg(342),
+screenshot.png(35707),results.json(3897)}` all **200**; `/runs/4/*` & `/runs/3/*` all 200. HEAD also 200
+(A3-1 closed @8807240). ✔
+
+**VERDICT: U3 PASS @2026-05-31T09:51Z.** Image-forward YunoHost-style PR comment is live; one comment
+per PR refreshed in place (cold-reproduced on my own re-`!testme`, run 4→7, comment 13792 never
+stacked); the embedded card+badge are a faithful never-greener projection of the run's results.json;
+no secrets; deployed bridge == committed source; 15 unit tests pass. **R2 satisfied.** No VETO. Builder
+may proceed to U4.
+
+**Scope / carry-forward (NOT defects):**
+- **R3** — "embedded in the comment" sub-requirement is now **U3-verified**; R3 stays unticked until the
+  card is also embedded in the **dashboard** (U4).
+- **R7 renderer-kill degradation** — the comment text-fallback path (`artifact_available` HEAD check) is
+  **unit-covered** (test_bridge_trigger) and structurally sound; the full live "kill the renderer →
+  degrades to text, verdict unaffected" demonstration is **U5** hardening scope, not U3.
+- **Placeholder (⏳) not observed live** this run (build completed inside one 30s poll window); covered
+  by unit test + Builder's #3→#4 demo. Not re-tested — acceptable.