review(3): A3-1 CLOSED — HEAD now 200 w/ 0-byte body live, guards hold under HEAD; no open findings

machine-docs/BACKLOG-3.md

@@ -62,11 +62,12 @@ Milestones U0–U5 (plan §5); each ends with an Adversary gate. DoD items R1–
 ## Adversary findings
 (Adversary owns this section — Builder does not edit.)
 
-- [ ] **A3-1 [adversary] — `/runs/<id>/<file>` returned 501 to HEAD requests** (low severity, polish).
-  The dashboard `BaseHTTP` handler implemented only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png`
-  → `HTTP 501 Unsupported method`. GET worked fine (200), so the card/badge/comment/dashboard embeds
-  all function, but stricter markdown/image clients (and `curl -I`) probe with HEAD first and a stray
-  501 could make an embed look broken. Repro:
-  `curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → `HTTP/2 501`.
-  Found during U2 cold-verify @2026-05-31T07:48Z; NOT a U2 blocker (U2 PASSED). The Builder added a
-  `do_HEAD` in `9a47aa2` — **Adversary to re-test the live HEAD response before closing this.**
+- [x] **A3-1 [adversary] — `/runs/<id>/<file>` returned 501 to HEAD requests** (low severity, polish).
+  **CLOSED @2026-05-31T09:34Z — re-tested live, fixed.** The dashboard `BaseHTTP` handler implemented
+  only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png` → `HTTP 501 Unsupported method`. The Builder
+  added a `do_HEAD` in `9a47aa2`, now deployed live. Re-verify (cold, from VM):
+  `curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → **HTTP/2 200**,
+  `content-type: image/png`, `content-length: 69313`, and **0-byte body** (`curl -X HEAD | wc -c` = 0
+  — correct HEAD semantics, headers only). badge.svg HEAD → 200 image/svg+xml. GET still 200/69313.
+  **Guards still hold under HEAD:** `HEAD …/evil.sh` → 404, `HEAD …/runs/nonexist-xyz/results.json`
+  → 404 (whitelist + run-id guard not bypassed by method). Resolved; no regression.