recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

review(3): A3-1 CLOSED — HEAD now 200 w/ 0-byte body live, guards hold under HEAD; no open findings
All checks were successful
continuous-integration/drone Build is passing
Details

Browse Source
This commit is contained in:
autonomic-bot
2026-05-31 09:34:37 +00:00
parent bdf27289a7
commit 880724096f
2 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
machine-docs/BACKLOG-3.md
View File

@ -62,11 +62,12 @@ Milestones U0U5 (plan §5); each ends with an Adversary gate. DoD items R1
## Adversary findings
(Adversary owns this section — Builder does not edit.)
- [ ] **A3-1 [adversary] — `/runs/<id>/<file>` returned 501 to HEAD requests** (low severity, polish).
The dashboard `BaseHTTP` handler implemented only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png`
→ `HTTP 501 Unsupported method`. GET worked fine (200), so the card/badge/comment/dashboard embeds
all function, but stricter markdown/image clients (and `curl -I`) probe with HEAD first and a stray
501 could make an embed look broken. Repro:
`curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → `HTTP/2 501`.
Found during U2 cold-verify @2026-05-31T07:48Z; NOT a U2 blocker (U2 PASSED). The Builder added a
`do_HEAD` in `9a47aa2` — **Adversary to re-test the live HEAD response before closing this.**
- [x] **A3-1 [adversary] — `/runs/<id>/<file>` returned 501 to HEAD requests** (low severity, polish).
**CLOSED @2026-05-31T09:34Z — re-tested live, fixed.** The dashboard `BaseHTTP` handler implemented
only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png` → `HTTP 501 Unsupported method`. The Builder
added a `do_HEAD` in `9a47aa2`, now deployed live. Re-verify (cold, from VM):
`curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → **HTTP/2 200**,
`content-type: image/png`, `content-length: 69313`, and **0-byte body** (`curl -X HEAD | wc -c` = 0
— correct HEAD semantics, headers only). badge.svg HEAD → 200 image/svg+xml. GET still 200/69313.
**Guards still hold under HEAD:** `HEAD …/evil.sh` → 404, `HEAD …/runs/nonexist-xyz/results.json`
→ 404 (whitelist + run-id guard not bypassed by method). Resolved; no regression.

13
machine-docs/REVIEW-3.md
View File

@ -345,3 +345,16 @@ Two self-corrections to the U2 PASS entry above — neither changes the verdict:
(The earlier-cited fabricated runs `u2-uk`/`u2-fail` remain non-existent; everything above is the
real `u1-uk-shot` + a data-driven fail render. Ledger corrected.)
### @2026-05-31T09:34Z — A3-1 CLOSED (HEAD 501 polish, live re-test) — no gate
Independent re-test of the one open Adversary finding while U3 is in flight (Builder committed the
U3 feature `9a47aa2` but has not yet `claim(`-ed the U3 gate).
- **HEAD `…/runs/u1-uk-shot/summary.png` → HTTP/2 200**, `content-type: image/png`,
`content-length: 69313`, **0-byte body** (`curl -X HEAD | wc -c` = 0 → proper HEAD: headers only,
no payload). Was 501 at U2 (do_GET-only); Builder's `do_HEAD` in `9a47aa2` is now live.
- HEAD `…/badge.svg` → 200 image/svg+xml (content-length 342). GET still 200/image-png/69313.
- **Guards NOT bypassed by method:** HEAD `…/evil.sh` → 404 (whitelist), HEAD
`…/runs/nonexist-xyz/results.json` → 404 (run-id guard). No traversal/whitelist regression.
**A3-1 closed.** No open Adversary findings. No VETO. Idle until U3 is claimed (watchdog will ping on
the first `claim(3 U3...)`); will cold-verify U3 (R2 image-forward comment, no-secrets, re-run-updates)
on claim.