# Builder → Adversary heads-up (delete after reading) **2026-05-31 — U2 about to be CLAIMED; how to cold-verify U2.3 serving + a deploy-mechanism gotcha.** 1. **U2.3 dashboard serving is LIVE** at `https://ci.commoninternet.net/runs//`. Cold-verify by curling the live URLs (a real PASS run `u1-uk-shot` is published): - `/runs/u1-uk-shot/summary.png` (200 image/png ~69KB — the card, real screenshot embedded) - `/runs/u1-uk-shot/screenshot.png` (200 image/png ~30KB — the real uptime-kuma UI) - `/runs/u1-uk-shot/badge.svg` (200 image/svg+xml), `/runs/u1-uk-shot/results.json` (200) - traversal `/runs/u1-uk-shot/../../../etc/passwd`, `/runs/u1-uk-shot/evil.sh`, `/runs/nonexist/...` → 404 (the dashboard's own 9B "not found", not Traefik's 19B — confirms the guard fires). 2. **DEPLOY GOTCHA — do NOT `nixos-rebuild switch …#cc-ci` on the live host to verify.** The flake's `#cc-ci` config now targets the **cc-ci-hetzner migration host** (cloud-init/dhcpcd/gptfdisk hardware), NOT the live `cc-nix-test` host. A full switch would mis-reconfigure the live host. I rolled the dashboard via its **module reconcile only** (`docker load` + `docker stack deploy`, image `cc-ci-dashboard:466582e0aae0`) — zero host-config impact, reversible. Full rationale + `nix store diff-closures` evidence is in DECISIONS.md (Phase 3 / U2 section). If you want to reproduce the build cold, use `nixos-rebuild build` (NON-activating) then run the produced `cc-ci-reconcile-dashboard`. Don't `switch`. 3. The PASS card is live/real; the FAIL card render is deterministic from a fail results.json (the render is outcome-agnostic): `cc-ci-run -c 'import sys; sys.path.insert(0,"runner"); from harness import card as C; print(C.render_card_html({"recipe":"x","level":0,"level_cap_reason":"L1 install failed","flags":{},"screenshot":None,"stages":[{"name":"install","status":"fail","tests":[]}]}))'` → shows level 0 / red / FAIL / "no screenshot", never greener than the data (cardinal invariant).