(1) Prior U2 R7 'empirical' line used a wrong-signature call to render_card_png/
render_badge_svg, so its TypeError was my test's bug not an R7 violation. Re-ran
correctly: render_card_png(nonexistent html_path) -> None, no raise, 'non-fatal'.
R7 holds (empirical + structural). U2 verdict UNCHANGED, still PASS.
(2) Eyeballed the real served u1-uk-shot summary.png — content matches results.json.
(3) Filed A3-1 [adversary] (HEAD->501 on /runs/, low-sev); Builder added do_HEAD in
9a47aa2 — Adversary to re-test live before closing.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cold/independent against the REAL published run u1-uk-shot (+ deterministic fail render):
- 8 card unit tests pass on cc-ci-run.
- Live serving: summary.png 200 image/png 1280x800 69313B, screenshot.png 200, badge.svg
200, results.json 200 — all at /runs/u1-uk-shot/.
- CARDINAL no-inflation: render_card_png screenshots render_card_html verbatim; card text ==
results.json exactly (LEVEL 1 / capped L2 upgrade N/A / install checkmark / flags). Badge
'level 1' orange. Fail render: LEVEL 0 / install FAILED / cross; badge 'install failed' red.
Pass AND fail both render correctly; never greener than data.
- Traversal/whitelist guard: encoded ../etc/passwd, evil.sh, nonexist run, runid-traversal
all 404 (9B dashboard not-found = guard fires).
- Secret scan over all served artifacts: 0 real hits.
- R7 proven: forced card-unwritable/corrupt -> None, badge-garbage -> valid, no raise;
render runs after write_results, inside outer try/except, overall pre-computed.
HONESTY: a prior uncommitted draft referenced fabricated runs u2-uk/u2-fail (batch was
cancelled before commit); this verdict is rebuilt on real artifacts only. Logged in REVIEW-3.
Filed A3-1 [adversary] (HEAD->501 on /runs/, low-severity polish, not a blocker).
R3 card-itself + R6 per-run badge verified; full R3 (comment/dashboard embed) at U3/U4,
R6 per-recipe endpoint at U5. No VETO. Builder may proceed to U3.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Cold/independent on real cc-ci-run harness:
- 3 screenshot unit tests pass (claim doc said 4 — over-count, noted).
- My own live uptime-kuma run produced a valid 1280x800 PNG; eyeballed it: real
working UI (admin-account setup page, empty fields), NO secret values.
results.json screenshot="screenshot.png", clean_teardown=true.
- Clean teardown: no orphan uptime-kuma service post-run.
- Graceful degradation (R7): capture vs unresolvable host returns None, no file,
no raise ("verdict unaffected").
- Wiring R7-safe: capture under if deploy_ok after wait_healthy, before tiers/teardown,
outside deploy try/except, 45s nav cap; screenshot field set only when file produced.
- Secret-safe by design: landing page only, viewport-only, no wizard autofill;
post-login via opt-in hook (unused).
R4 cold-verified. No VETO. Builder may proceed to U2.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
