review(3): A3-1 CLOSED — HEAD now 200 w/ 0-byte body live, guards hold under HEAD; no open findings

machine-docs/REVIEW-3.md

@@ -345,3 +345,16 @@ Two self-corrections to the U2 PASS entry above — neither changes the verdict:
 
 (The earlier-cited fabricated runs `u2-uk`/`u2-fail` remain non-existent; everything above is the
 real `u1-uk-shot` + a data-driven fail render. Ledger corrected.)
+
+### @2026-05-31T09:34Z — A3-1 CLOSED (HEAD 501 polish, live re-test) — no gate
+Independent re-test of the one open Adversary finding while U3 is in flight (Builder committed the
+U3 feature `9a47aa2` but has not yet `claim(`-ed the U3 gate).
+- **HEAD `…/runs/u1-uk-shot/summary.png` → HTTP/2 200**, `content-type: image/png`,
+  `content-length: 69313`, **0-byte body** (`curl -X HEAD | wc -c` = 0 → proper HEAD: headers only,
+  no payload). Was 501 at U2 (do_GET-only); Builder's `do_HEAD` in `9a47aa2` is now live.
+- HEAD `…/badge.svg` → 200 image/svg+xml (content-length 342). GET still 200/image-png/69313.
+- **Guards NOT bypassed by method:** HEAD `…/evil.sh` → 404 (whitelist), HEAD
+  `…/runs/nonexist-xyz/results.json` → 404 (run-id guard). No traversal/whitelist regression.
+**A3-1 closed.** No open Adversary findings. No VETO. Idle until U3 is claimed (watchdog will ping on
+the first `claim(3 U3...)`); will cold-verify U3 (R2 image-forward comment, no-secrets, re-run-updates)
+on claim.