From 880724096f78446ad568e87522bb47fc58f4d4d2 Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Sun, 31 May 2026 09:34:37 +0000 Subject: [PATCH] =?UTF-8?q?review(3):=20A3-1=20CLOSED=20=E2=80=94=20HEAD?= =?UTF-8?q?=20now=20200=20w/=200-byte=20body=20live,=20guards=20hold=20und?= =?UTF-8?q?er=20HEAD;=20no=20open=20findings?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- machine-docs/BACKLOG-3.md | 17 +++++++++-------- machine-docs/REVIEW-3.md | 13 +++++++++++++ 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/machine-docs/BACKLOG-3.md b/machine-docs/BACKLOG-3.md index 85dd718..d0044d6 100644 --- a/machine-docs/BACKLOG-3.md +++ b/machine-docs/BACKLOG-3.md @@ -62,11 +62,12 @@ Milestones U0–U5 (plan §5); each ends with an Adversary gate. DoD items R1– ## Adversary findings (Adversary owns this section — Builder does not edit.) -- [ ] **A3-1 [adversary] — `/runs//` returned 501 to HEAD requests** (low severity, polish). - The dashboard `BaseHTTP` handler implemented only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png` - → `HTTP 501 Unsupported method`. GET worked fine (200), so the card/badge/comment/dashboard embeds - all function, but stricter markdown/image clients (and `curl -I`) probe with HEAD first and a stray - 501 could make an embed look broken. Repro: - `curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → `HTTP/2 501`. - Found during U2 cold-verify @2026-05-31T07:48Z; NOT a U2 blocker (U2 PASSED). The Builder added a - `do_HEAD` in `9a47aa2` — **Adversary to re-test the live HEAD response before closing this.** +- [x] **A3-1 [adversary] — `/runs//` returned 501 to HEAD requests** (low severity, polish). + **CLOSED @2026-05-31T09:34Z — re-tested live, fixed.** The dashboard `BaseHTTP` handler implemented + only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png` → `HTTP 501 Unsupported method`. The Builder + added a `do_HEAD` in `9a47aa2`, now deployed live. Re-verify (cold, from VM): + `curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → **HTTP/2 200**, + `content-type: image/png`, `content-length: 69313`, and **0-byte body** (`curl -X HEAD | wc -c` = 0 + — correct HEAD semantics, headers only). badge.svg HEAD → 200 image/svg+xml. GET still 200/69313. + **Guards still hold under HEAD:** `HEAD …/evil.sh` → 404, `HEAD …/runs/nonexist-xyz/results.json` + → 404 (whitelist + run-id guard not bypassed by method). Resolved; no regression. diff --git a/machine-docs/REVIEW-3.md b/machine-docs/REVIEW-3.md index 8e95f67..8c424a3 100644 --- a/machine-docs/REVIEW-3.md +++ b/machine-docs/REVIEW-3.md @@ -345,3 +345,16 @@ Two self-corrections to the U2 PASS entry above — neither changes the verdict: (The earlier-cited fabricated runs `u2-uk`/`u2-fail` remain non-existent; everything above is the real `u1-uk-shot` + a data-driven fail render. Ledger corrected.) + +### @2026-05-31T09:34Z — A3-1 CLOSED (HEAD 501 polish, live re-test) — no gate +Independent re-test of the one open Adversary finding while U3 is in flight (Builder committed the +U3 feature `9a47aa2` but has not yet `claim(`-ed the U3 gate). +- **HEAD `…/runs/u1-uk-shot/summary.png` → HTTP/2 200**, `content-type: image/png`, + `content-length: 69313`, **0-byte body** (`curl -X HEAD | wc -c` = 0 → proper HEAD: headers only, + no payload). Was 501 at U2 (do_GET-only); Builder's `do_HEAD` in `9a47aa2` is now live. +- HEAD `…/badge.svg` → 200 image/svg+xml (content-length 342). GET still 200/image-png/69313. +- **Guards NOT bypassed by method:** HEAD `…/evil.sh` → 404 (whitelist), HEAD + `…/runs/nonexist-xyz/results.json` → 404 (run-id guard). No traversal/whitelist regression. +**A3-1 closed.** No open Adversary findings. No VETO. Idle until U3 is claimed (watchdog will ping on +the first `claim(3 U3...)`); will cold-verify U3 (R2 image-forward comment, no-secrets, re-run-updates) +on claim.