cc-ci/machine-docs/STATUS-3.md

Phase 3 — Beautiful YunoHost-style results — STATUS

SSOT: /srv/cc-ci/cc-ci-plan/plan-phase3-results-ux.md. DoD = R1–R8. Milestones U0–U5. State files (this phase): machine-docs/{STATUS,BACKLOG,REVIEW,JOURNAL}-3.md. DECISIONS.md shared.

WHAT + HOW + EXPECTED + WHERE live here; WHY → JOURNAL-3.md.

Phase context

• Phase 2b is ## DONE (Adversary-verified, no VETO). Phase 3 kicked off manually by the operator. Note for honesty: Phase-2 ## DONE not yet flipped (REVIEW-2 standing VETO on full Phase-2 DONE authorization); cross-phase sequencing is an operator call. Adversary concurs it's not a P3 blocker (REVIEW-3 @05:42Z).
• Pre-existing repo-wide lint is RED on origin/main (94 files ruff format-dirty + 36 ruff check errors; confirmed on cc-ci CI devshell against clean origin/main, ruff 0.7.3). This predates Phase 3 and is NOT introduced by my work — my NEW Phase-3 files are fully ruff-clean, and I left run_recipe_ci.py with fewer ruff errors than main (1 vs 4). Flagged for the operator; not a Phase-3 DoD item, and the U0 gate is verified by unit tests + real-run results.json, not repo-wide lint.

---

Gate: U0 — PASS (Adversary REVIEW-3 @18d2bd1, 2026-05-31; R1 cold-verified, no VETO) (Results schema + level)

WHAT. run_recipe_ci.py now emits a per-run results.json with per-stage AND per-test ✔/✘ breakdown and a computed integer level (L0–L6, YunoHost gap-caps semantics). DoD R1 (level ladder) satisfied; U0 milestone acceptance ("level correct for a recipe through L4 and one capped at L2") demonstrated on two real end-to-end runs.

WHERE (commits / files).

• 9773e3f runner/harness/level.py — pure compute_level(rungs)->(level,cap_reason) + helpers backup_restore_status, tier_to_rung. tests/unit/test_level.py (15 tests).
• 52e5d21 runner/harness/results.py — JUnit-XML parse, collect_stages, derive_rungs (the tier+deps/SSO→rung translation), build_results, write_results. tests/unit/test_results.py (13 tests). runner/run_recipe_ci.py — tiers emit --junitxml + append {tier,source,file,rc,junit} records; main() assembles+writes results.json wrapped so a failure NEVER changes the verdict (R7), incl. a narrow self leak-scan of the serialised artifact.
• 757511e machine-docs/DECISIONS.md (Phase-3 section) — the documented ladder + exact rung-mapping contract derive_rungs implements + results.json schema + artifact-hosting decision.

HOW to verify (cold, from your clone on cc-ci).

1. Unit tests (deterministic; also fuzz-verifiable): cc-ci-run -m pytest tests/unit/test_level.py tests/unit/test_results.py -q
2. Real-run L2-cap (stateless, not backup-capable, ≥2 versions): RECIPE=custom-html-tiny STAGES=install,upgrade,backup,restore,custom CCCI_RUN_ID=adv-cht cc-ci-run runner/run_recipe_ci.py then read /var/lib/cc-ci-runs/adv-cht/results.json.
3. Real-run L4-pass (backup-capable, 3 functional tests, no deps): RECIPE=uptime-kuma STAGES=install,upgrade,backup,restore,custom CCCI_RUN_ID=adv-uk cc-ci-run runner/run_recipe_ci.py then read /var/lib/cc-ci-runs/adv-uk/results.json. (Compare the level/rungs against the results dict + DECISIONS contract — a level greener than the tiers would be a FAIL. Verify clean teardown: no orphan *-pr*/recipe service after.)

EXPECTED.

1. 28 passed.
2. custom-html-tiny: level=2, level_cap_reason="L3 backup/restore (data integrity) N/A", rungs={install:pass, upgrade:pass, backup_restore:na, functional:na, integration:na, recipe_local:na}, results={install:pass, upgrade:pass, backup:skip, restore:skip, custom:skip}, flags={clean_teardown:true, no_secret_leak:true}, stages=[install,upgrade] each w/ per-test rows. (My run: /var/lib/cc-ci-runs/u0-cht-L2/results.json.)
3. uptime-kuma: level=4, level_cap_reason="L5 integration (SSO/OIDC + cross-app) N/A", rungs={install:pass, upgrade:pass, backup_restore:pass, functional:pass, integration:na, recipe_local:na}, all five tiers pass, flags.clean_teardown=true, stages=[install,upgrade,backup,restore,custom] with per-test rows (incl. 3 uptime-kuma functional tests, source cc-ci). (My run: /var/lib/cc-ci-runs/u0-uk-L4/results.json.)

These two bracket the gate: a recipe whose functional tests pass is still capped at L2 when a lower rung (L3 backup) is N/A (gap-caps; never inflates), and a full clean climb with no SSO surface caps at L4.

---

Gate: U1 — PASS (Adversary REVIEW-3 @74a6993, 2026-05-31; R4 cold-verified, no VETO) (App screenshot)

WHAT. The harness now captures a real Playwright screenshot of the deployed app while it is up (after deploy+health/readiness, before any tier mutates state, before teardown) and writes it to the run artifact dir as screenshot.png. The capture is secret-safe by default (it shoots the app landing page, never a credentials page; a recipe opts into a post-login view via an optional SCREENSHOT meta hook that owns the no-secret-page guarantee — none used yet). It is best-effort: capture() swallows every error and returns None, so it NEVER blocks/fails/hangs the run (R7); the results.json screenshot field is set to "screenshot.png" ONLY when the capture actually produced a file, else stays null. U1 milestone acceptance ("screenshot of a sample recipe shows the working UI, no secrets") demonstrated on a real uptime-kuma run; graceful-degradation (R7) demonstrated on an unreachable-domain capture.

WHERE (commits / files).

• 5fa15d4 runner/run_recipe_ci.py — imports screenshot as screenshot_mod; after deploy+readiness and OUTSIDE the deploy try/except (so a screenshot issue can never flip deploy_ok), under if deploy_ok: calls screenshot_mod.capture(domain, screenshot_path(run_artifact_dir), recipe_meta=meta) and sets screenshot_rel; passes screenshot=screenshot_rel into build_results(...).
• daa7edd runner/harness/screenshot.py — capture() (default landing-page nav via browser.goto_with_retry, 45s deadline cap; optional SCREENSHOT hook), screenshot_path(), _load_screenshot_hook(). tests/unit/test_screenshot.py (pure helpers; 4 tests).

HOW to verify (cold, from your clone on cc-ci).

1. Pure-helper unit tests: cc-ci-run -m pytest tests/unit/test_screenshot.py -q
2. Real positive capture (working UI, no secret): rm -rf /var/lib/cc-ci-runs/adv-u1 && RECIPE=uptime-kuma STAGES=install CCCI_RUN_ID=adv-u1 cc-ci-run runner/run_recipe_ci.py then scp back /var/lib/cc-ci-runs/adv-u1/screenshot.png and EYEBALL it; check /var/lib/cc-ci-runs/adv-u1/results.json has "screenshot":"screenshot.png". Confirm NO orphan service after (docker service ls | grep -i uptime empty = clean teardown).
3. Graceful degradation (R7) — capture against an unreachable host returns None, never raises: cc-ci-run -c 'import sys; sys.path.insert(0,"runner"); from harness import screenshot as S; print(S.capture("adv-u1-noexist.ci.commoninternet.net","/tmp/x.png"))' → prints None (≈45s), no /tmp/x.png produced.

EXPECTED.

1. 3 passed (test_screenshot.py has 3 pure-helper tests; corrected from an earlier "4" over-count per the Adversary's honest-reporting flag, REVIEW-3 @74a6993 — doc-only, no behavioural impact).
2. screenshot.png ~30 KB showing uptime-kuma's "Uptime Kuma / Create your admin account" landing page with EMPTY username/password/repeat fields (a setup form — it asks the user to set a password; it does NOT display any generated secret), i.e. real working app UI, no secret values. results.json screenshot="screenshot.png", flags.clean_teardown=true; no orphan service. (My run: /var/lib/cc-ci-runs/u1-uk-shot/{screenshot.png,results.json}.)
3. None returned after the 45s deadline, no file written, no exception — proving a screenshot failure leaves the run/verdict untouched (cosmetics never block, R7). (My check log: capture "failed (non-fatal, verdict unaffected)" → GRACEFUL_DEGRADATION= True.)

The cardinal Phase-3 invariant for U1: the screenshot is a faithful capture of the live app, never a credentials page, and its presence/absence never changes the verdict.

---

Gate: U2 — PASS (Adversary REVIEW-3 @324d84d, 2026-05-31; R3/R6 partial cold-verified, no VETO) (Summary card + badge)

WHAT. Each run now renders a summary card PNG (recipe+version, level badge, per-stage/per-test ✔/✘ table, embedded real app screenshot) and an SVG level badge, written into the run artifact dir and served at stable URLs https://ci.commoninternet.net/runs/<run_id>/{summary.png,badge.svg, screenshot.png,results.json}. The card REPORTS results.json verbatim — it computes nothing, so it can never look greener than the tiers (cardinal invariant). U2 acceptance ("card + badge render correctly for a pass run AND a fail run") demonstrated: a real PASS run served live; a deterministic FAIL render shown honest (L0/red/✘/no-screenshot).

WHERE (commits / files).

• afe5e51 runner/run_recipe_ci.py — after results.json is written, a separate best-effort block renders summary.html→summary.png + badge.svg via harness.card (passes screenshot_rel=data["screenshot"] so the real shot embeds iff present). R7-wrapped — any failure is swallowed, never changes overall.
• daa7edd/7217e0c/8179d3f runner/harness/card.py — pure render_card_html, render_badge_svg/ level_badge_svg (deterministic string builders), render_card_png (best-effort Playwright). Inline SVG sunflower (headless chromium has no colour-emoji font). tests/unit/test_card.py (8 tests).
• fa56f6b dashboard/dashboard.py + nix/modules/dashboard.nix — /runs/<id>/<file> route (allow-list + run_id regex + realpath-inside-runs-dir traversal guard); /var/lib/cc-ci-runs bind-mounted READ-ONLY into the dashboard swarm service; CCCI_RUNS_DIR env.

HOW to verify (cold). (See ADVERSARY-INBOX for the deploy gotcha — do NOT nixos-rebuild switch the live host; #cc-ci targets the hetzner migration host. U2.3 was rolled via the dashboard module reconcile only. DECISIONS.md Phase-3/U2 has the diff-closures evidence.)

1. Unit tests: cc-ci-run -m pytest tests/unit/test_card.py -q → 8 passed.
2. PASS card served live (real): curl -s -o /tmp/c.png -w '%{http_code} %{content_type} %{size_download}\n' https://ci.commoninternet.net/runs/u1-uk-shot/summary.png → 200 image/png ~69313. Eyeball /tmp/c.png: uptime-kuma, orange LEVEL 1, "capped: L2 upgrade N/A", install/test_serving ✔ PASS rows, clean-teardown+no-secret-leak flags, and the real uptime-kuma screenshot embedded. Also …/screenshot.png (200 ~30858), …/badge.svg (200 image/svg+xml), …/results.json (200).
3. Traversal/whitelist guard: …/runs/u1-uk-shot/../../../etc/passwd, …/runs/u1-uk-shot/evil.sh, …/runs/nonexist/results.json → 404 with a 9-byte body (the dashboard's own "not found", NOT Traefik's 19-byte 404 — proves the request reached the app and the guard rejected it).
4. FAIL render is honest (cardinal invariant): feed the card a fail dict (cmd in ADVERSARY-INBOX §3) → card shows level 0, level_color(0) (red), the ✘ FAIL mark on the install row, and the "no screenshot" placeholder — never greener than the data.

EXPECTED. (1) 8 passed. (2) PASS card 200/image-png/~69KB, embeds the real screenshot, level/marks match results.json (u1-uk-shot: level 1, install pass). (3) all three guarded paths 404 with a 9B body. (4) fail render: >0< (level 0), red colour, ✘ present, "no screenshot" present — no inflation.

The cardinal U2 invariant: the rendered card/level/badge are a faithful, never-greener projection of results.json + the actual test outcomes, served at a stable URL, generated best-effort so a render failure never blocks the run.

Gate: U3 — PASS (Adversary REVIEW-3 @778b577, 2026-05-31T09:51Z; R2 cold-verified, no VETO) (YunoHost-style PR comment)

(Adversary cold-reproduced update-in-place via its own !testme → build #7; comment 13792 never stacked; card == results.json, no inflation; no secrets. R3 "in comment" verified; R3 ticks at U4.)

WHAT. On a !testme run the bridge now posts/updates ONE Gitea PR comment in the YunoHost shape: on run start a 🌻 + ⏳ placeholder ("level pending", live-logs link); on completion it edits the SAME comment in place to 🌻 + a level badge image + a summary card image, BOTH linked to the full run, plus full-logs/dashboard links. A re-!testme refreshes that same comment (back to ⏳, then to the new result) — never stacks a new one (R2 "one comment per PR, updated in place"). Falls back to a compact text verdict if the rendered card isn't served (R7). DoD R2 satisfied; U3 acceptance ("live on a scratch PR — comment shows badge + card + screenshot, updates on re-run, no secrets") demonstrated on a real scratch PR. (This also lands R3's "embedded in the comment" sub-requirement; R3 still needs "in dashboard" at U4.)

WHERE (commits / files).

• 9a47aa2 bridge/bridge.py — COMMENT_MARKER (hidden HTML comment <!-- cc-ci:testme -->), start_comment_body (⏳ placeholder), result_comment_body (🌻 + badge + card, linked; text fallback), find_existing_comment (marker → update-in-place), artifact_available (HEAD existence check → image-vs-text), watch_and_reflect now edits to result_comment_body. Card/badge URLs are ${DASH_URL}/runs/<DRONE_BUILD_NUMBER>/{summary.png,badge.svg} (run_id == Drone build number, see runner/harness/results.py::run_id).
• 9a47aa2 dashboard/dashboard.py — do_HEAD (shared _route with GET) so HEAD existence-checks + strict image clients get 200, not 501 (closes Adversary A3-1, already re-verified @8807240).
• 9a47aa2 tests/unit/test_bridge_trigger.py — covers placeholder shape, image-forward result, text fallback when card missing, marker-based find/update-in-place.
• Deployed: bridge swarm image cc-ci-bridge:6377f9571f3b == sha256(bridge.py) first-12 (content tag, confirmed live); dashboard image live with do_HEAD.

HOW to verify (cold, from your clone / the VM).

1. Unit tests (on cc-ci): cc-ci-run -m pytest tests/unit/test_bridge_trigger.py tests/unit/test_card.py -q → 15 passed.
2. Deployed bridge == source: ssh cc-ci 'sha256sum /etc/cc-ci/bridge/bridge.py | cut -c1-12' → 6377f9571f3b; ssh cc-ci 'docker service ls | grep ccci-bridge' shows image tag 6377f9571f3b.
3. LIVE demo on scratch PR recipe-maintainers/custom-html PR #2 (recipe == repo name; the bridge poller, 30s, fires on a NEW !testme). The bot comment carrying the marker is id 13792: curl -s -u "$GITEA_USERNAME:$GITEA_PASSWORD" https://git.autonomic.zone/api/v1/repos/recipe-maintainers/custom-html/issues/comments/13792 → body has <!-- cc-ci:testme -->, 🌻, ✅ passed, [![cc-ci result card](…/runs/4/summary.png)](…/4), [![level](…/runs/4/badge.svg)](…/4), full-logs+dashboard links. (You may post your own !testme on PR #2 — the repo is active in Drone; it will refresh the same comment 13792.)
4. Images render (served): for f in summary.png badge.svg screenshot.png results.json; do curl -s -o /dev/null -w "$f %{http_code}\n" https://ci.commoninternet.net/runs/4/$f; done → all 200.
5. Updates in place / no stacking: the marked-comment set on PR #2 stays exactly [13792] across runs #3 (first !testme) and #4 (re-!testme); the comment cycled ⏳→result both times. (Filter comments for <!-- cc-ci:testme --> — there is exactly one.)
6. No secrets: scan the comment body + /var/lib/cc-ci-runs/{3,4}/{results.json,summary.html} for password|secret|token|passwd|api_key|privkey|PRIVATE → only the no_secret_leak flag-name matches; the embedded app screenshot is custom-html's "Welcome to nginx!" page (no values).
7. No inflation: the card for run #4 shows level 4 / capped: L5 integration N/A, all install/upgrade/backup/restore/custom rows ✔ — matches /runs/4/results.json verbatim.

EXPECTED.

1. 15 passed. 2. tag 6377f9571f3b both places. 3. comment 13792 body exactly as above (run 4).
2. all four /runs/4/ files 200 (summary.png ~178 KB, badge.svg 342 B, screenshot.png 35707 B).
3. exactly one marked comment (13792); no new comment stacked on re-run. 6. zero real secret hits.
4. card level 4, all rows ✔, == results.json (recipe=custom-html, level=4, all tiers pass, flags.clean_teardown=true,no_secret_leak=true).

The cardinal U3 invariant: ONE comment per PR, refreshed in place; the embedded card/badge are a faithful never-greener projection of the run; image-gen failure degrades to text and never blocks the run or the verdict.

Gate: U4 — PASS (Adversary REVIEW-3 @9ca39dc, 2026-05-31T10:04Z; R5 + R3-full cold-verified, no VETO) (Dashboard polish)

(Grid + history cold-verified never-greener vs results.json; honest #11 failure row (404 results.json → failure/level —/no card); no secrets; deployed == source; 9 tests. R5 satisfied, R3 fully satisfied.)

WHAT. The overview at https://ci.commoninternet.net/ is now a YunoHost-CI-style grid: one card per enrolled recipe showing a level badge (coloured by level), latest pass/fail status, last-tested version, an app screenshot thumbnail (the run's screenshot.png, clickable → the full summary.png card), the clean-teardown/no-secret-leak flags, and a history link. A new per-recipe history page /recipe/<name> lists every run of that recipe (newest first): run #, status, level, version, when, and a per-run card link. Every field is read from the run's results.json (level/version/screenshot/flags) so the grid mirrors the artifact and is never greener than the run (cardinal guardrail). It re-renders live each request (30s cache + auto-refresh), i.e. "regenerated on build completion". DoD R5 satisfied; R3 now also embedded in the dashboard (was U3-verified in the comment) → R3 fully satisfied.

WHERE (commits / files).

• e1d837e dashboard/dashboard.py — level_color, _results_for (traversal-guarded results.json reader), _custom_recipe_builds (cached, shared by overview+history), _build_row (Drone build + results.json → display row), latest_per_recipe (augmented), history_for, render_overview (grid), render_history, /recipe/<name> route. tests/unit/test_dashboard.py (9 tests).
• Deployed: cc-ci-dashboard:7b34ec8761df (== sha256(dashboard.py) first-12, confirmed live), rolled via the dashboard module reconcile only (nixos-rebuild build non-activating → cc-ci-reconcile-dashboard = docker load + docker stack deploy). NOT nixos-rebuild switch (the #cc-ci config targets the migration host — DECISIONS Phase-3/U2; reconcile = zero host-config impact, reversible).

HOW to verify (cold, from your clone / the VM).

1. Unit tests (on cc-ci): cc-ci-run -m pytest tests/unit/test_dashboard.py -q → 9 passed.
2. Deployed == source: ssh cc-ci 'sha256sum /etc/cc-ci/dashboard/dashboard.py | cut -c1-12' → 7b34ec8761df; docker service ls | grep ccci-dashboard shows that tag.
3. Live grid: curl -s https://ci.commoninternet.net/ (200) → two recipe cards: custom-html (level 4, success, db9a95024e9d, thumbnail /runs/7/screenshot.png linking /runs/7/summary.png, ✔ teardown / ✔ no-leak, history → /recipe/custom-html) and uptime-kuma (level 4, success, dfed87a39f8a, /runs/12/...).
4. Live history: curl -s https://ci.commoninternet.net/recipe/custom-html (200) → rows #7/#4/#3/#1 each L4/success/version + per-run card link to /runs/<n>/summary.png; …/recipe/uptime-kuma → #12 (success L4) and #11 (failure, level —, no card) — a real failed run shown honestly (it failed at fetch_recipe on a bogus ref, wrote no results.json → grid shows failure/level —).
5. No inflation (cardinal): each card's level/status/version == /runs/<n>/results.json (curl -s https://ci.commoninternet.net/runs/7/results.json → custom-html level 4 all-pass; /runs/12/results.json → uptime-kuma level 4 all-pass). A failed/absent run shows level — + the failure pill + the "no screenshot" placeholder — never a level/screenshot it didn't earn.
6. No secrets (R7): scan the grid + both history pages → only the title="no secret leak" flag label matches secret; embedded thumbnails are the U1-verified secret-safe landing pages.
7. HEAD parity: curl -sI https://ci.commoninternet.net/ and …/recipe/custom-html → 200 (the do_HEAD/_route share with GET; A3-1 stays closed).

EXPECTED. (1) 9 passed. (2) tag 7b34ec8761df both places. (3) grid 200 with the two cards as described; (4) history 200 with the run rows + card links incl. the honest uptime-kuma failure row; (5) card fields == results.json (custom-html L4, uptime-kuma L4); (6) zero real secret hits; (7) HEAD 200.

The cardinal U4 invariant: the grid + history are a faithful, never-greener projection of each run's results.json; a failed/levelless run is shown as such (no inflated level, no screenshot it didn't produce); rendering is read-only over the RO-bind-mounted artifacts.

Gate: U5 — CLAIMED, awaiting Adversary (Badges + docs + hardening; R6, R7, R8 — FINAL gate)

WHAT. The last milestone: (a) R6 — a per-recipe latest-level badge endpoint /badge/<recipe>.svg (shields-style, coloured by level, embeddable in a recipe README; falls back to a status badge for a recipe with no level yet); (b) R8 — docs/results-ux.md now fully explains the level ladder + tier→rung mapping, results.json schema, card/screenshot generation, the PR-comment shape, and the badge endpoints + README embed snippet; (c) R7 hardening — render failure degrades to text/omission and never affects the verdict, proven by a forced render-kill run; a broad secret scan over every published artifact + all PR comments finds zero real secret values; plus a new defense-in-depth try/except around the screenshot call site so a screenshot can never crash the run.

WHERE (commits / files).

• 91a69b8 dashboard/dashboard.py — render_level_badge + _badge_svg; /badge/<recipe>.svg route prefers the latest-run level (from results.json), status fallback. Deployed cc-ci-dashboard:8acd8b9cc51c (== sha256(dashboard.py), confirmed live). tests/unit/test_dashboard.py (+2 badge tests → 11 total).
• 91a69b8 docs/results-ux.md §1-5 complete (R8).
• 799cceb runner/run_recipe_ci.py — defense-in-depth try/except around screenshot_mod.capture call site (R7); a screenshot raise is now caught + logged non-fatal, verdict unaffected.

HOW to verify (cold, from your clone / the VM).

1. R6 per-recipe level badge (live): curl -s https://ci.commoninternet.net/badge/custom-html.svg → SVG cc-ci: custom-html | level 4, message-box fill="#a0b93f" (= level_color(4)); …/badge/uptime-kuma.svg → level 4; …/badge/keycloak.svg (no runs) → 200, status-fallback cc-ci | unknown. README embed snippet in docs/results-ux.md §5.
2. R8 docs: read docs/results-ux.md — §1 ladder + tier→rung mapping, §2 schema, §3 card+screenshot
   • stable URLs, §4 PR comment, §5 badges + embed snippet. No remaining TODOs.
3. R7 render-kill degradation (verdict unaffected) — reproduce: drive run_recipe_ci.main() with the orchestrator-side cosmetic renderers forced to raise but the real (subprocess) test browser intact — monkeypatch run_recipe_ci.card_mod.render_card_html/render_card_png and run_recipe_ci.screenshot_mod.capture to raise, RECIPE=custom-html STAGES=install. Result (/var/lib/cc-ci-runs/u5-renderkill3 from my run): EXIT 0, install pass (test_serving + test_serving_and_content PASSED — real browser unaffected), results.json written (level=1, install=pass, screenshot=null), and NO summary.png / NO screenshot.png — both cosmetic failures swallowed (screenshot capture raised (non-fatal…) + summary card/badge render failed (non-fatal)). A renderer kill cannot change the verdict or block the run. (Note: globally breaking the browser path instead — /var/lib/cc-ci-runs/u5-renderkill2 — fails the install tier, because custom-html's test_serving_and_content is a REAL browser test; that is a real test failing correctly, NOT a cosmetics-vs-verdict datapoint. The clean isolation above breaks ONLY the cosmetic renderers.)
4. R7 broad leak scan: over every published text artifact — for f in $(find /var/lib/cc-ci-runs -maxdepth 2 \( -name results.json -o -name summary.html -o -name badge.svg \)); do grep -EaoH 'password|passwd|secret|token|api_key|privkey|BEGIN [A-Z ]*PRIVATE KEY|AKIA[0-9A-Z]{16}|[0-9a-f]{40}' "$f"; done → the ONLY matches are the no_secret_leak JSON field + the ✔ no secret leak card label (a flag name, not a value); zero real secret values. Same scan over all bot comments on custom-html PR#2 → 0. The embedded screenshots are the U1/U4-verified secret-safe setup/landing pages (empty credential fields). (You are the R7 leak authority — this is my own pre-claim scan.)
5. R7 comment text-fallback (render fail → text, not a broken image): unit-covered (tests/unit/test_bridge_trigger.py::test_result_comment_text_fallback_when_card_missing) + the bridge checks artifact_available (HEAD) before embedding (U3-verified structurally).
6. Unit tests (cold): cc-ci-run -m pytest tests/unit/test_dashboard.py tests/unit/test_card.py tests/unit/test_bridge_trigger.py tests/unit/test_screenshot.py tests/unit/test_level.py tests/unit/test_results.py -q → all green (11+8+7+3+15+13).

EXPECTED. (1) badges render with level colour + status fallback; (2) docs complete, no TODOs; (3) render-kill: exit 0, install pass, results.json intact, no card/screenshot; (4) leak scan: only the flag name/label, zero real values, 0 in comments; (6) all unit tests green.

The cardinal U5 invariant: cosmetics (card, screenshot, badge, comment image) never block/fail a run or change its verdict — they degrade to text/omission; and no published artifact leaks a secret.

When the Adversary's U5 PASS lands and REVIEW-3 shows all R1–R8 verified <24h with no VETO → I flip STATUS-3 to ## DONE.

In flight

(none — U5 (final gate) claimed; parked awaiting the Adversary. On U5 PASS + all R1–R8 verified → DONE.)

Blocked

(none)

Note — Drone repo reactivation (infra, recorded for the Adversary)

The Hetzner-migration Drone DB reset left recipe-maintainers/cc-ci inactive (bridge log drone trigger failed 404); the bridge can't trigger builds when the repo is inactive. I reactivated it (in-scope reconfig of my own CI, reversible): POST /api/user/repos?async=false then POST /api/repos/recipe-maintainers/cc-ci → active=true, config_path .drone.yml, timeout 60. This is why builds #1–#4 above exist (counter reset to 1 by the DB reset). Self-heal hardening filed as BACKLOG-3 U3.3 (fold activation into the drone reconcile) — not a U3 DoD item.