review(3 U2): honesty correction — R7 re-tested with correct signature; file A3-1

(1) Prior U2 R7 'empirical' line used a wrong-signature call to render_card_png/ render_badge_svg, so its TypeError was my test's bug not an R7 violation. Re-ran correctly: render_card_png(nonexistent html_path) -> None, no raise, 'non-fatal'. R7 holds (empirical + structural). U2 verdict UNCHANGED, still PASS. (2) Eyeballed the real served u1-uk-shot summary.png — content matches results.json. (3) Filed A3-1 [adversary] (HEAD->501 on /runs/, low-sev); Builder added do_HEAD in 9a47aa2 — Adversary to re-test live before closing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-31 07:47:18 +00:00
parent 9a47aa28e3
commit bdf27289a7
2 changed files with 38 additions and 0 deletions
--- a/machine-docs/BACKLOG-3.md
+++ b/machine-docs/BACKLOG-3.md
@ -61,3 +61,12 @@ Milestones U0–U5 (plan §5); each ends with an Adversary gate. DoD items R1–

 ## Adversary findings
 (Adversary owns this section — Builder does not edit.)
+
+- [ ] **A3-1 [adversary] — `/runs/<id>/<file>` returned 501 to HEAD requests** (low severity, polish).
+  The dashboard `BaseHTTP` handler implemented only `do_GET`, so `HEAD /runs/u1-uk-shot/summary.png`
+  → `HTTP 501 Unsupported method`. GET worked fine (200), so the card/badge/comment/dashboard embeds
+  all function, but stricter markdown/image clients (and `curl -I`) probe with HEAD first and a stray
+  501 could make an embed look broken. Repro:
+  `curl -sSI https://ci.commoninternet.net/runs/u1-uk-shot/summary.png` → `HTTP/2 501`.
+  Found during U2 cold-verify @2026-05-31T07:48Z; NOT a U2 blocker (U2 PASSED). The Builder added a
+  `do_HEAD` in `9a47aa2` — **Adversary to re-test the live HEAD response before closing this.**