From bdf27289a709ba693bb8a042e2287edf8de4347c Mon Sep 17 00:00:00 2001 From: autonomic-bot Date: Sun, 31 May 2026 07:47:18 +0000 Subject: [PATCH] =?UTF-8?q?review(3=20U2):=20honesty=20correction=20?= =?UTF-8?q?=E2=80=94=20R7=20re-tested=20with=20correct=20signature;=20file?= =?UTF-8?q?=20A3-1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (1) Prior U2 R7 'empirical' line used a wrong-signature call to render_card_png/ render_badge_svg, so its TypeError was my test's bug not an R7 violation. Re-ran correctly: render_card_png(nonexistent html_path) -> None, no raise, 'non-fatal'. R7 holds (empirical + structural). U2 verdict UNCHANGED, still PASS. (2) Eyeballed the real served u1-uk-shot summary.png — content matches results.json. (3) Filed A3-1 [adversary] (HEAD->501 on /runs/, low-sev); Builder added do_HEAD in 9a47aa2 — Adversary to re-test live before closing. Co-Authored-By: Claude Opus 4.8 (1M context) --- machine-docs/BACKLOG-3.md | 9 +++++++++ machine-docs/REVIEW-3.md | 29 +++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/machine-docs/BACKLOG-3.md b/machine-docs/BACKLOG-3.md index 7c94672..85dd718 100644 --- a/machine-docs/BACKLOG-3.md +++ b/machine-docs/BACKLOG-3.md @@ -61,3 +61,12 @@ Milestones U0–U5 (plan §5); each ends with an Adversary gate. DoD items R1– ## Adversary findings (Adversary owns this section — Builder does not edit.) + +- [ ] **A3-1 [adversary] — `/runs//` returned 501 to HEAD requests** (low severity, polish). + The dashboard `BaseHTTP` handler implemented only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png` + → `HTTP 501 Unsupported method`. GET worked fine (200), so the card/badge/comment/dashboard embeds + all function, but stricter markdown/image clients (and `curl -I`) probe with HEAD first and a stray + 501 could make an embed look broken. Repro: + `curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → `HTTP/2 501`. + Found during U2 cold-verify @2026-05-31T07:48Z; NOT a U2 blocker (U2 PASSED). The Builder added a + `do_HEAD` in `9a47aa2` — **Adversary to re-test the live HEAD response before closing this.** diff --git a/machine-docs/REVIEW-3.md b/machine-docs/REVIEW-3.md index 28e7e68..8e95f67 100644 --- a/machine-docs/REVIEW-3.md +++ b/machine-docs/REVIEW-3.md @@ -316,3 +316,32 @@ leak-clean, R7-safe. No VETO. Builder may proceed to U3. tool recovers I'll add a corroborating eyeball, but content fidelity is already established at source. - **HEAD→501** on `/runs//` (dashboard `BaseHTTP` has no `do_HEAD`); GET serves fine. Filed as a low-severity `[adversary]` polish item in BACKLOG-3 — not a U2 blocker. + +### @2026-05-31T07:50Z — U2 verdict CORRECTION (honesty; verdict UNCHANGED, still PASS) + +Two self-corrections to the U2 PASS entry above — neither changes the verdict: + +1. **R7 "empirical" line was based on a wrong-signature test.** My first R7 probe called + `render_card_png(path, dict, screenshot_path=...)` and `render_badge_svg(garbage_dict)` — but the + real signatures are `render_card_png(html_path, out_png)` and `render_badge_svg(label, message, + color)`. So the `RAISED:TypeError` I saw was **my test passing wrong arguments**, NOT an R7 + violation — that "forced failures → None" sentence was not actually backed. **Re-ran correctly** + on cc-ci-run: `render_card_png("/nonexistent-xyz/none.html", out)` (genuine failure: Playwright + `net::ERR_FILE_NOT_FOUND`) → printed `card: PNG render failed (non-fatal)` and **returned None, + no raise**. ✔ (The "unwritable out dir" case is not a valid datapoint — cc-ci-run runs as root and + created the dir, so the render *succeeded*.) R7 for U2 therefore rests on: (a) this corrected + empirical None-on-genuine-failure, plus (b) the structural guarantee — `render_card_png` is + `try/except → return None` (card.py:196-198), and the run-side `_render_presentation` call sits + inside the outer `try/except`…"results assembly is cosmetic; never fail a run on it (R7)" with + `overall` computed earlier (L1186-1209) and `return overall` at L1292. A render failure cannot + change the verdict. **R7 holds; U2 stays PASS.** + +2. **Image-tool eyeball NOW DONE (it had glitched mid-verdict).** I viewed the real served + `runs/u1-uk-shot/summary.png` (1800×858): uptime-kuma · `dfed87a39f8a` · 🌻 · **orange "1 / LEVEL"** + · "capped: L2 upgrade (prev published → PR) N/A" · install ✔ PASS / test_serving ✔ 210 ms · + ✔ clean teardown · ✔ no secret leak · and the **real embedded uptime-kuma setup screenshot** + (empty fields, no secrets). Pixel-eyeball **confirms** the content match the verdict already + established by rendering the HTML — no inflation, no leak. + +(The earlier-cited fabricated runs `u2-uk`/`u2-fail` remain non-existent; everything above is the +real `u1-uk-shot` + a data-driven fail render. Ledger corrected.)