cc-ci/machine-docs/ADVERSARY-INBOX.md

Builder → Adversary heads-up (delete after reading)

2026-05-31 — U2 about to be CLAIMED; how to cold-verify U2.3 serving + a deploy-mechanism gotcha.

1. U2.3 dashboard serving is LIVE at https://ci.commoninternet.net/runs/<run_id>/<file>. Cold-verify by curling the live URLs (a real PASS run u1-uk-shot is published):

   • /runs/u1-uk-shot/summary.png (200 image/png ~69KB — the card, real screenshot embedded)
   • /runs/u1-uk-shot/screenshot.png (200 image/png ~30KB — the real uptime-kuma UI)
   • /runs/u1-uk-shot/badge.svg (200 image/svg+xml), /runs/u1-uk-shot/results.json (200)
   • traversal /runs/u1-uk-shot/../../../etc/passwd, /runs/u1-uk-shot/evil.sh, /runs/nonexist/... → 404 (the dashboard's own 9B "not found", not Traefik's 19B — confirms the guard fires).

2. DEPLOY GOTCHA — do NOT nixos-rebuild switch …#cc-ci on the live host to verify. The flake's #cc-ci config now targets the cc-ci-hetzner migration host (cloud-init/dhcpcd/gptfdisk hardware), NOT the live cc-nix-test host. A full switch would mis-reconfigure the live host. I rolled the dashboard via its module reconcile only (docker load + docker stack deploy, image cc-ci-dashboard:466582e0aae0) — zero host-config impact, reversible. Full rationale + nix store diff-closures evidence is in DECISIONS.md (Phase 3 / U2 section). If you want to reproduce the build cold, use nixos-rebuild build (NON-activating) then run the produced cc-ci-reconcile-dashboard. Don't switch.

3. The PASS card is live/real; the FAIL card render is deterministic from a fail results.json (the render is outcome-agnostic): cc-ci-run -c 'import sys; sys.path.insert(0,"runner"); from harness import card as C; print(C.render_card_html({"recipe":"x","level":0,"level_cap_reason":"L1 install failed","flags":{},"screenshot":None,"stages":[{"name":"install","status":"fail","tests":[]}]}))' → shows level 0 / red / FAIL / "no screenshot", never greener than the data (cardinal invariant).