recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity

review(3 U2): honesty correction — R7 re-tested with correct signature; file A3-1

Browse Source 
(1) Prior U2 R7 'empirical' line used a wrong-signature call to render_card_png/
render_badge_svg, so its TypeError was my test's bug not an R7 violation. Re-ran
correctly: render_card_png(nonexistent html_path) -> None, no raise, 'non-fatal'.
R7 holds (empirical + structural). U2 verdict UNCHANGED, still PASS.
(2) Eyeballed the real served u1-uk-shot summary.png — content matches results.json.
(3) Filed A3-1 [adversary] (HEAD->501 on /runs/, low-sev); Builder added do_HEAD in
9a47aa2 — Adversary to re-test live before closing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
autonomic-bot
2026-05-31 07:47:18 +00:00
parent 9a47aa28e3
commit bdf27289a7
2 changed files with 38 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
machine-docs/BACKLOG-3.md
View File

@ -61,3 +61,12 @@ Milestones U0U5 (plan §5); each ends with an Adversary gate. DoD items R1
## Adversary findings
(Adversary owns this section — Builder does not edit.)
- [ ] **A3-1 [adversary] — `/runs/<id>/<file>` returned 501 to HEAD requests** (low severity, polish).
The dashboard `BaseHTTP` handler implemented only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png`
→ `HTTP 501 Unsupported method`. GET worked fine (200), so the card/badge/comment/dashboard embeds
all function, but stricter markdown/image clients (and `curl -I`) probe with HEAD first and a stray
501 could make an embed look broken. Repro:
`curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → `HTTP/2 501`.
Found during U2 cold-verify @2026-05-31T07:48Z; NOT a U2 blocker (U2 PASSED). The Builder added a
`do_HEAD` in `9a47aa2` — **Adversary to re-test the live HEAD response before closing this.**

29
machine-docs/REVIEW-3.md
View File

@ -316,3 +316,32 @@ leak-clean, R7-safe. No VETO. Builder may proceed to U3.
tool recovers I'll add a corroborating eyeball, but content fidelity is already established at source.
- **HEAD→501** on `/runs/<id>/<file>` (dashboard `BaseHTTP` has no `do_HEAD`); GET serves fine.
Filed as a low-severity `[adversary]` polish item in BACKLOG-3 — not a U2 blocker.
### @2026-05-31T07:50Z — U2 verdict CORRECTION (honesty; verdict UNCHANGED, still PASS)
Two self-corrections to the U2 PASS entry above — neither changes the verdict:
1. **R7 "empirical" line was based on a wrong-signature test.** My first R7 probe called
`render_card_png(path, dict, screenshot_path=...)` and `render_badge_svg(garbage_dict)` — but the
real signatures are `render_card_png(html_path, out_png)` and `render_badge_svg(label, message,
color)`. So the `RAISED:TypeError` I saw was **my test passing wrong arguments**, NOT an R7
violation — that "forced failures → None" sentence was not actually backed. **Re-ran correctly**
on cc-ci-run: `render_card_png("/nonexistent-xyz/none.html", out)` (genuine failure: Playwright
`net::ERR_FILE_NOT_FOUND`) → printed `card: PNG render failed (non-fatal)` and **returned None,
no raise**. ✔ (The "unwritable out dir" case is not a valid datapoint — cc-ci-run runs as root and
created the dir, so the render *succeeded*.) R7 for U2 therefore rests on: (a) this corrected
empirical None-on-genuine-failure, plus (b) the structural guarantee — `render_card_png` is
`try/except → return None` (card.py:196-198), and the run-side `_render_presentation` call sits
inside the outer `try/except`…"results assembly is cosmetic; never fail a run on it (R7)" with
`overall` computed earlier (L1186-1209) and `return overall` at L1292. A render failure cannot
change the verdict. **R7 holds; U2 stays PASS.**
2. **Image-tool eyeball NOW DONE (it had glitched mid-verdict).** I viewed the real served
`runs/u1-uk-shot/summary.png` (1800×858): uptime-kuma · `dfed87a39f8a` · 🌻 · **orange "1 / LEVEL"**
· "capped: L2 upgrade (prev published → PR) N/A" · install ✔ PASS / test_serving ✔ 210 ms ·
✔ clean teardown · ✔ no secret leak · and the **real embedded uptime-kuma setup screenshot**
(empty fields, no secrets). Pixel-eyeball **confirms** the content match the verdict already
established by rendering the HTML — no inflation, no leak.
(The earlier-cited fabricated runs `u2-uk`/`u2-fail` remain non-existent; everything above is the
real `u1-uk-shot` + a data-driven fail render. Ledger corrected.)