@riddledc/riddle-proof 0.8.30 → 0.8.32

package/runtime/lib/ship.py

@@ -1,7 +1,8 @@
 """Ship: commit, create PR, post proof artifacts, wait for CI, mark ready, cleanup."""
 
-import json, subprocess as sp, time, os, sys, re
+import json, subprocess as sp, time, os, sys, re, shutil, tempfile, hashlib
 import urllib.error
+import urllib.parse
 import urllib.request
 sys.path.insert(0, os.path.dirname(os.path.abspath(__file__)))
 from util import load_state, save_state, invoke, git
@@ -9,6 +10,7 @@ from util import load_state, save_state, invoke, git
 
 DISCORD_API = 'https://discord.com/api/v10'
 SHIP_NOISE_PATHS = ('.codex', '.oc-smoke')
+MAX_GITHUB_PROOF_ARTIFACT_BYTES = 10 * 1024 * 1024
 VISUAL_FIRST_MODES = {
     'visual', 'render', 'ui', 'layout', 'screenshot',
     'canvas', 'animation',
@@ -185,6 +187,306 @@ def truthy(value):
     return str(value or '').strip().lower() in ('1', 'true', 'yes', 'y', 'on')
 
 
+def safe_slug(value, fallback='artifact'):
+    slug = re.sub(r'[^a-zA-Z0-9._-]+', '-', str(value or '').strip()).strip('-._')
+    return slug[:80] or fallback
+
+
+def is_http_url(value):
+    text = str(value or '').strip()
+    return text.startswith('https://') or text.startswith('http://')
+
+
+def is_file_url(value):
+    return str(value or '').strip().startswith('file://')
+
+
+def path_from_file_url(url):
+    parsed = urllib.parse.urlparse(str(url or '').strip())
+    if parsed.scheme != 'file':
+        return ''
+    return urllib.request.url2pathname(parsed.path)
+
+
+def local_path_from_artifact(artifact):
+    if not isinstance(artifact, dict):
+        return ''
+    path_value = str(artifact.get('path') or '').strip()
+    if path_value and os.path.exists(path_value):
+        return path_value
+    url = str(artifact.get('url') or '').strip()
+    if is_file_url(url):
+        decoded = path_from_file_url(url)
+        if decoded and os.path.exists(decoded):
+            return decoded
+    return ''
+
+
+def artifact_kind(name, path_value='', url=''):
+    target = (str(name or '') + ' ' + str(path_value or '') + ' ' + str(url or '')).lower()
+    if re.search(r'\.(png|jpe?g|gif|webp|avif|svg)(\?|$|\s)', target):
+        return 'image'
+    if re.search(r'\.(json|har|txt|md|html|log)(\?|$|\s)', target):
+        return 'data'
+    return 'artifact'
+
+
+def artifact_name(name, path_value='', fallback='artifact'):
+    source = str(name or '').strip() or os.path.basename(str(path_value or '').strip()) or fallback
+    source = source.split('?', 1)[0].split('#', 1)[0]
+    return safe_slug(source, fallback)
+
+
+def add_artifact_source(sources, seen, role, name='', url='', path_value='', source='state'):
+    local_path = path_value if path_value and os.path.exists(path_value) else ''
+    if not local_path and is_file_url(url):
+        local_path = path_from_file_url(url)
+    key = local_path or str(url or '').strip()
+    if not key or key in seen:
+        return
+    seen.add(key)
+    kind = artifact_kind(name, local_path, url)
+    sources.append({
+        'role': role,
+        'name': artifact_name(name, local_path, role + '-artifact'),
+        'url': str(url or '').strip(),
+        'path': local_path,
+        'kind': kind,
+        'source': source,
+    })
+
+
+def collect_proof_artifact_sources(state):
+    sources = []
+    seen = set()
+    for role, key in (('before', 'before_cdn'), ('prod', 'prod_cdn'), ('after', 'after_cdn')):
+        value = str(state.get(key) or '').strip()
+        if value:
+            add_artifact_source(sources, seen, role, os.path.basename(path_from_file_url(value)) if is_file_url(value) else role + '.png', value, '', key)
+
+    verify_results = state.get('verify_results') or {}
+    after = verify_results.get('after') if isinstance(verify_results, dict) else {}
+    raw = after.get('raw') if isinstance(after, dict) else {}
+    if isinstance(raw, dict):
+        for artifact in raw.get('outputs') or []:
+            if isinstance(artifact, dict):
+                add_artifact_source(sources, seen, 'after', artifact.get('name', ''), artifact.get('url', ''), local_path_from_artifact(artifact), 'verify_results.after.raw.outputs')
+        for artifact in raw.get('screenshots') or []:
+            if isinstance(artifact, dict):
+                add_artifact_source(sources, seen, 'after', artifact.get('name', ''), artifact.get('url', ''), local_path_from_artifact(artifact), 'verify_results.after.raw.screenshots')
+
+    bundle = state.get('evidence_bundle') or {}
+    bundle_after = bundle.get('after') if isinstance(bundle, dict) else {}
+    supporting = bundle_after.get('supporting_artifacts') if isinstance(bundle_after, dict) else {}
+    if isinstance(supporting, dict):
+        for field, kind_role in (('image_outputs', 'after'), ('data_outputs', 'after'), ('other_outputs', 'after')):
+            for artifact in supporting.get(field) or []:
+                if isinstance(artifact, dict):
+                    add_artifact_source(sources, seen, kind_role, artifact.get('name', ''), artifact.get('url', ''), local_path_from_artifact(artifact), 'evidence_bundle.after.supporting_artifacts.' + field)
+
+    request = state.get('proof_assessment_request') or {}
+    request_supporting = request.get('supporting_artifacts') if isinstance(request, dict) else {}
+    if isinstance(request_supporting, dict):
+        for field, kind_role in (('image_outputs', 'after'), ('data_outputs', 'after'), ('other_outputs', 'after')):
+            for artifact in request_supporting.get(field) or []:
+                if isinstance(artifact, dict):
+                    add_artifact_source(sources, seen, kind_role, artifact.get('name', ''), artifact.get('url', ''), local_path_from_artifact(artifact), 'proof_assessment_request.supporting_artifacts.' + field)
+
+    return sources
+
+
+def local_proof_artifact_sources(state):
+    return [artifact for artifact in collect_proof_artifact_sources(state) if artifact.get('path') and os.path.exists(artifact.get('path'))]
+
+
+def local_artifact_sources_fingerprint(local_sources):
+    digest = hashlib.sha256()
+    for artifact in sorted(local_sources, key=lambda item: item.get('path') or ''):
+        path_value = artifact.get('path') or ''
+        if not path_value or not os.path.exists(path_value):
+            continue
+        digest.update(path_value.encode('utf-8'))
+        digest.update(str(artifact.get('name') or '').encode('utf-8'))
+        digest.update(str(os.path.getsize(path_value)).encode('utf-8'))
+        with open(path_value, 'rb') as f:
+            while True:
+                chunk = f.read(1024 * 1024)
+                if not chunk:
+                    break
+                digest.update(chunk)
+    return digest.hexdigest()
+
+
+def public_proof_artifacts(state):
+    published = state.get('proof_artifact_publication') or {}
+    artifacts = published.get('artifacts') if isinstance(published, dict) else []
+    public = [artifact for artifact in artifacts or [] if isinstance(artifact, dict) and (artifact.get('raw_url') or artifact.get('html_url'))]
+    for artifact in collect_proof_artifact_sources(state):
+        url = str(artifact.get('url') or '').strip()
+        if is_http_url(url):
+            public.append({
+                **artifact,
+                'raw_url': url,
+                'html_url': url,
+                'published': False,
+            })
+    deduped = []
+    seen = set()
+    for artifact in public:
+        key = artifact.get('raw_url') or artifact.get('html_url') or artifact.get('url')
+        if key and key not in seen:
+            seen.add(key)
+            deduped.append(artifact)
+    return deduped
+
+
+def first_public_artifact_url(state, role, kind=None):
+    for artifact in public_proof_artifacts(state):
+        if artifact.get('role') != role:
+            continue
+        if kind and artifact.get('kind') != kind:
+            continue
+        return artifact.get('raw_url') or artifact.get('html_url') or artifact.get('url') or ''
+    return ''
+
+
+def resolve_github_repo_name(repo_dir):
+    result = sp.run(['gh', 'repo', 'view', '--json', 'nameWithOwner', '--jq', '.nameWithOwner'],
+                    cwd=repo_dir, capture_output=True, text=True, timeout=30)
+    if result.returncode == 0 and result.stdout.strip():
+        return result.stdout.strip()
+    remote = git_stdout(['config', '--get', 'remote.origin.url'], repo_dir)
+    match = re.search(r'github\.com[:/]([^/]+)/([^/.]+)(?:\.git)?$', remote)
+    if match:
+        return match.group(1) + '/' + match.group(2)
+    return ''
+
+
+def write_artifact_readme(path_value, state, artifacts):
+    lines = [
+        '# Riddle Proof Artifacts',
+        '',
+        'Run id: `' + str(state.get('run_id') or '') + '`',
+        'PR: ' + str(state.get('pr_url') or ''),
+        'Goal: ' + str(state.get('change_request') or ''),
+        'Verification mode: ' + str(state.get('verification_mode') or 'proof'),
+        '',
+        '## Artifacts',
+        '',
+    ]
+    for artifact in artifacts:
+        rel = artifact.get('filename') or artifact.get('published_path') or ''
+        label = artifact.get('role', 'artifact') + ' / ' + artifact.get('name', rel)
+        if artifact.get('kind') == 'image':
+            lines.append('- ' + label + ': `'+ rel + '`')
+            lines.append('')
+            lines.append('  ![' + label + '](' + rel + ')')
+            lines.append('')
+        else:
+            lines.append('- [' + label + '](' + rel + ')')
+    with open(path_value, 'w') as f:
+        f.write('\n'.join(lines).rstrip() + '\n')
+
+
+def publish_local_proof_artifacts_to_github(state, repo_dir, pr_num):
+    local_sources = local_proof_artifact_sources(state)
+    if not local_sources:
+        state['proof_artifact_publication'] = {'ok': True, 'skipped': True, 'reason': 'no local file artifacts'}
+        save_state(state)
+        return state['proof_artifact_publication']
+
+    source_fingerprint = local_artifact_sources_fingerprint(local_sources)
+    existing = state.get('proof_artifact_publication') or {}
+    if existing.get('ok') and existing.get('artifacts') and existing.get('source_fingerprint') == source_fingerprint:
+        return existing
+
+    repo_name = resolve_github_repo_name(repo_dir)
+    if not repo_name:
+        raise SystemExit('Could not resolve GitHub repository name for proof artifact publication.')
+
+    run_id = safe_slug(state.get('run_id') or str(int(time.time())), 'run')
+    pr_slug = safe_slug('pr-' + str(pr_num or 'unknown'), 'pr')
+    artifact_branch = safe_slug('riddle-proof-artifacts-' + pr_slug + '-' + run_id, 'riddle-proof-artifacts')
+    artifact_dir_name = 'riddle-proof/' + run_id
+    tmp = tempfile.mkdtemp(prefix='riddle-proof-gh-artifacts-')
+    published = []
+    try:
+        git_checked(['init'], tmp)
+        origin = git_stdout(['config', '--get', 'remote.origin.url'], repo_dir)
+        git_checked(['remote', 'add', 'origin', origin], tmp)
+        git_checked(['checkout', '-b', artifact_branch], tmp)
+        git_checked(['config', 'user.name', 'Riddle Proof'], tmp)
+        git_checked(['config', 'user.email', 'riddle-proof@riddledc.com'], tmp)
+        target_dir = os.path.join(tmp, artifact_dir_name)
+        os.makedirs(target_dir, exist_ok=True)
+        used_names = set()
+        for artifact in local_sources:
+            source_path = artifact.get('path')
+            try:
+                size = os.path.getsize(source_path)
+            except Exception:
+                continue
+            if size > MAX_GITHUB_PROOF_ARTIFACT_BYTES:
+                published.append({**artifact, 'published': False, 'skipped': True, 'reason': 'artifact exceeds size limit'})
+                continue
+            base_name = artifact_name(artifact.get('name'), source_path, artifact.get('role', 'artifact') + '-artifact')
+            filename = base_name
+            stem, ext = os.path.splitext(base_name)
+            counter = 2
+            while filename in used_names:
+                filename = stem + '-' + str(counter) + ext
+                counter += 1
+            used_names.add(filename)
+            dest = os.path.join(target_dir, filename)
+            shutil.copyfile(source_path, dest)
+            published_path = artifact_dir_name + '/' + filename
+            digest = hashlib.sha256(open(source_path, 'rb').read()).hexdigest()
+            published.append({
+                **artifact,
+                'filename': filename,
+                'published_path': published_path,
+                'size_bytes': size,
+                'sha256': digest,
+                'published': True,
+            })
+        write_artifact_readme(os.path.join(target_dir, 'README.md'), state, [a for a in published if a.get('published')])
+        with open(os.path.join(target_dir, 'proof-artifacts.json'), 'w') as f:
+            json.dump({
+                'version': 'riddle-proof.github-artifacts.v1',
+                'run_id': state.get('run_id', ''),
+                'pr_url': state.get('pr_url', ''),
+                'artifacts': published,
+            }, f, indent=2)
+        git_checked(['add', '.'], tmp)
+        git_checked(['commit', '-m', 'Publish Riddle Proof artifacts'], tmp)
+        commit = git_stdout(['rev-parse', 'HEAD'], tmp)
+        push = sp.run(['git', 'push', 'origin', 'HEAD:refs/heads/' + artifact_branch, '--force'],
+                      cwd=tmp, capture_output=True, text=True, timeout=120)
+        if push.returncode != 0:
+            raise SystemExit('Failed to push proof artifact branch: ' + push.stderr[:300])
+        for artifact in published:
+            if artifact.get('published'):
+                published_path = artifact.get('published_path')
+                artifact['raw_url'] = 'https://raw.githubusercontent.com/' + repo_name + '/' + commit + '/' + published_path
+                artifact['html_url'] = 'https://github.com/' + repo_name + '/blob/' + commit + '/' + published_path
+        publication = {
+            'ok': True,
+            'branch': artifact_branch,
+            'commit': commit,
+            'repo': repo_name,
+            'html_url': 'https://github.com/' + repo_name + '/tree/' + commit + '/' + artifact_dir_name,
+            'manifest_url': 'https://github.com/' + repo_name + '/blob/' + commit + '/' + artifact_dir_name + '/proof-artifacts.json',
+            'readme_url': 'https://github.com/' + repo_name + '/blob/' + commit + '/' + artifact_dir_name + '/README.md',
+            'source_fingerprint': source_fingerprint,
+            'artifacts': published,
+        }
+        state['proof_artifact_publication'] = publication
+        save_state(state)
+        return publication
+    finally:
+        shutil.rmtree(tmp, ignore_errors=True)
+
+
 def is_temp_proof_branch(branch):
     return str(branch or '').strip().startswith('riddle-proof/')
 
@@ -271,6 +573,10 @@ def build_ship_report(state, marked_ready=None):
     branch = state.get('target_branch') or state.get('branch') or ''
     if marked_ready is None:
         marked_ready = state.get('marked_ready')
+    before_artifact_url = first_public_artifact_url(state, 'before', 'image') or state.get('before_cdn', '')
+    prod_artifact_url = first_public_artifact_url(state, 'prod', 'image') or state.get('prod_cdn', '')
+    after_artifact_url = first_public_artifact_url(state, 'after', 'image') or state.get('after_cdn', '')
+    artifact_publication = state.get('proof_artifact_publication') or {}
     return {
         'pr_url': state.get('pr_url', ''),
         'pr_branch': branch,
@@ -282,9 +588,12 @@ def build_ship_report(state, marked_ready=None):
         'ci_status': state.get('ci_status', ''),
         'proof_comment_url': state.get('proof_comment_url', ''),
         'proof_assessment_comment_url': state.get('proof_assessment_comment_url', ''),
-        'before_artifact_url': state.get('before_cdn', ''),
-        'prod_artifact_url': state.get('prod_cdn', ''),
-        'after_artifact_url': state.get('after_cdn', ''),
+        'before_artifact_url': before_artifact_url,
+        'prod_artifact_url': prod_artifact_url,
+        'after_artifact_url': after_artifact_url,
+        'proof_artifacts_url': artifact_publication.get('html_url', '') if isinstance(artifact_publication, dict) else '',
+        'proof_artifacts_manifest_url': artifact_publication.get('manifest_url', '') if isinstance(artifact_publication, dict) else '',
+        'proof_artifact_publication': artifact_publication if isinstance(artifact_publication, dict) else {},
     }
 
 
@@ -515,12 +824,15 @@ def post_discord_ready_message(state, marked_ready):
     else:
         ci_line = 'CI was not confirmed green yet; review the PR checks before merging.'
     proof_bits = []
-    if state.get('before_cdn'):
-        proof_bits.append('before: ' + state['before_cdn'])
-    if state.get('prod_cdn'):
-        proof_bits.append('prod: ' + state['prod_cdn'])
-    if state.get('after_cdn'):
-        proof_bits.append('after: ' + state['after_cdn'])
+    before_url = first_public_artifact_url(state, 'before', 'image') or state.get('before_cdn')
+    prod_url = first_public_artifact_url(state, 'prod', 'image') or state.get('prod_cdn')
+    after_url = first_public_artifact_url(state, 'after', 'image') or state.get('after_cdn')
+    if before_url:
+        proof_bits.append('before: ' + before_url)
+    if prod_url:
+        proof_bits.append('prod: ' + prod_url)
+    if after_url:
+        proof_bits.append('after: ' + after_url)
     elif state_has_after_evidence(state):
         proof_bits.append('after: structured evidence bundle')
 
@@ -671,6 +983,8 @@ if s.get('finalized') and s.get('pr_url') and existing_after_dir and not os.path
         'proof_comment_url': report.get('proof_comment_url', ''),
         'before_artifact_url': report.get('before_artifact_url', ''),
         'after_artifact_url': report.get('after_artifact_url', ''),
+        'proof_artifacts_url': report.get('proof_artifacts_url', ''),
+        'proof_artifacts_manifest_url': report.get('proof_artifacts_manifest_url', ''),
         'finalized_retry': True,
         'proof_assessment_comment_posted': bool(s.get('proof_assessment_comment_posted')),
         'discord_notification': s.get('discord_notification'),
@@ -755,6 +1069,12 @@ pr_num = s.get('pr_number', '')
 if not pr_num:
     raise SystemExit('No PR created. Check gh auth.')
 
+publication = publish_local_proof_artifacts_to_github(s, repo_dir, pr_num)
+if publication.get('ok') and not publication.get('skipped'):
+    print('Proof artifacts published: ' + publication.get('html_url', ''))
+elif publication.get('skipped'):
+    print('Proof artifact publication skipped: ' + publication.get('reason', 'unknown'))
+
 # Post proof comment on PR
 body = '## Riddle Proof — Proof of Fix\n\n'
 body += '**Goal:** ' + s.get('change_request', '') + '\n\n'
@@ -762,14 +1082,39 @@ if s.get('success_criteria'):
     body += '**Success criteria:** ' + s['success_criteria'] + '\n\n'
 body += '**Verification mode:** ' + s.get('verification_mode', 'proof') + '\n\n'
 body += '**Merge recommendation:** ' + effective_merge_recommendation(s) + '\n\n'
-if before_cdn:
-    body += '### Before\n![' + 'before' + '](' + before_cdn + ')\n\n'
-if prod_cdn:
-    body += '### Prod\n![' + 'prod' + '](' + prod_cdn + ')\n\n'
-if after_cdn:
-    body += '### After\n![' + 'after' + '](' + after_cdn + ')\n\n'
+
+public_artifacts = public_proof_artifacts(s)
+if publication.get('ok') and not publication.get('skipped'):
+    body += '**Proof artifacts:** '
+    body += '[bundle](' + publication.get('html_url', '') + ')'
+    if publication.get('manifest_url'):
+        body += ' | [manifest](' + publication.get('manifest_url', '') + ')'
+    body += '\n\n'
+
+before_image = first_public_artifact_url(s, 'before', 'image')
+prod_image = first_public_artifact_url(s, 'prod', 'image')
+after_image = first_public_artifact_url(s, 'after', 'image')
+if before_image:
+    body += '### Before\n![before](' + before_image + ')\n\n'
+if prod_image:
+    body += '### Prod\n![prod](' + prod_image + ')\n\n'
+if after_image:
+    body += '### After\n![after](' + after_image + ')\n\n'
 else:
     body += '### After evidence\nNo after screenshot was captured for this verification mode; structured evidence is summarized below.\n\n'
+
+data_artifacts = [
+    artifact for artifact in public_artifacts
+    if artifact.get('kind') != 'image' and (artifact.get('html_url') or artifact.get('raw_url'))
+]
+if data_artifacts:
+    body += '### Structured artifacts\n'
+    for artifact in data_artifacts[:12]:
+        label = artifact.get('name') or artifact.get('filename') or artifact.get('kind') or 'artifact'
+        url = artifact.get('html_url') or artifact.get('raw_url')
+        body += '- [' + str(label) + '](' + str(url) + ')\n'
+    body += '\n'
+
 bundle_text = evidence_bundle_text(s)
 if bundle_text:
     body += '### Evidence bundle\n```\n' + bundle_text + '\n```\n\n'
@@ -904,5 +1249,7 @@ print(json.dumps({
     'before_artifact_url': report.get('before_artifact_url', ''),
     'prod_artifact_url': report.get('prod_artifact_url', ''),
     'after_artifact_url': report.get('after_artifact_url', ''),
+    'proof_artifacts_url': report.get('proof_artifacts_url', ''),
+    'proof_artifacts_manifest_url': report.get('proof_artifacts_manifest_url', ''),
     'ship_report': report,
 }))

package/runtime/lib/util.py

@@ -621,37 +621,65 @@ def nested_non_riddle_enabled():
 def invoke_riddle_core(tool, args, timeout=180):
     """Call Riddle's shared core package directly, without nested OpenClaw tool invocation."""
     script = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'riddle_core_call.mjs')
+    result_file = tempfile.NamedTemporaryFile(prefix='riddle-proof-direct-', suffix='.json', delete=False).name
+    stderr_file = tempfile.NamedTemporaryFile(prefix='riddle-proof-direct-', suffix='.stderr', delete=False).name
+    env = dict(os.environ)
+    env['RIDDLE_PROOF_DIRECT_RESULT_FILE'] = result_file
+    stderr_text = ''
     try:
-        r = sp.run(
-            ['node', script, tool, json.dumps(args)],
-            capture_output=True, text=True, timeout=timeout
-        )
+        with open(stderr_file, 'w', encoding='utf-8') as stderr_handle:
+            r = sp.run(
+                ['node', script, tool, json.dumps(args)],
+                stdout=sp.DEVNULL, stderr=stderr_handle, text=True, timeout=timeout, env=env
+            )
     except sp.TimeoutExpired as e:
         print('direct_riddle(' + tool + ') TIMED OUT after ' + str(timeout) + 's')
-        if e.stdout:
-            print('  stdout: ' + e.stdout[:500])
-        if e.stderr:
-            print('  stderr: ' + e.stderr[:500])
+        try:
+            with open(stderr_file, 'r', encoding='utf-8') as f:
+                stderr_text = f.read()[:500]
+        except Exception:
+            stderr_text = ''
+        if stderr_text:
+            print('  stderr: ' + stderr_text)
         return {
             'ok': False,
             'timeout': True,
             'error': f'direct_riddle({tool}) timed out after {timeout}s',
-            'stdout': (e.stdout or '')[:500],
-            'stderr': (e.stderr or '')[:500],
+            'stderr': stderr_text[:500],
         }
+    finally:
+        if 'r' not in locals():
+            for temp_path in (result_file, stderr_file):
+                try:
+                    os.unlink(temp_path)
+                except Exception:
+                    pass
+    try:
+        with open(stderr_file, 'r', encoding='utf-8') as f:
+            stderr_text = f.read()
+    except Exception:
+        stderr_text = ''
 
     if r.returncode != 0:
         print('direct_riddle(' + tool + ') FAILED rc=' + str(r.returncode))
-        print('  stdout: ' + r.stdout[:500])
-        print('  stderr: ' + r.stderr[:500])
+        print('  stderr: ' + stderr_text[:500])
 
     try:
-        return json.loads(r.stdout)
-    except:
+        with open(result_file, 'r', encoding='utf-8') as f:
+            return json.loads(f.read())
+    except Exception:
         print('direct_riddle(' + tool + ') JSON parse failed')
-        print('  stdout: ' + r.stdout[:500])
-        print('  stderr: ' + r.stderr[:500])
-        return {'ok': False, 'error': r.stdout[:300], 'stderr': r.stderr[:300]}
+        print('  stderr: ' + stderr_text[:500])
+        return {'ok': False, 'error': 'direct_riddle result file missing or invalid', 'stderr': stderr_text[:300]}
+    finally:
+        try:
+            os.unlink(result_file)
+        except Exception:
+            pass
+        try:
+            os.unlink(stderr_file)
+        except Exception:
+            pass
 
 
 def invoke(tool, args, timeout=180):
@@ -771,7 +799,12 @@ def invoke_retry(tool, args, retries=3, timeout=180):
         result = invoke(tool, args, timeout=timeout)
         last_result = result
         # Check for success indicators
-        if result.get('ok') or result.get('outputs') or result.get('screenshots'):
+        if result.get('ok'):
+            return result
+        if tool == 'riddle_script' and (result.get('error') or result.get('script_error')):
+            print('invoke_retry(riddle_script) stopping early for deterministic script error')
+            return result
+        if result.get('outputs') or result.get('screenshots'):
             return result
         print(f'invoke_retry({tool}) attempt {attempt}/{retries} failed: {str(result.get("error", "no output"))[:200]}')
         if tool == 'riddle_script' and non_retryable_riddle_script_error(result):
@@ -911,6 +944,39 @@ def summarize_capture_artifact_item(item):
     return {key: value for key, value in summary.items() if value not in (None, '')}
 
 
+def capture_screenshot_url(payload, label=''):
+    if not isinstance(payload, dict):
+        return ''
+    enriched = enrich_capture_payload(payload)
+    candidates = []
+    for key in ('screenshots', 'outputs', 'artifacts'):
+        values = enriched.get(key) or []
+        if isinstance(values, list):
+            candidates.extend([item for item in values if isinstance(item, dict)])
+
+    requested = (label or '').strip()
+    expected_names = set()
+    if requested:
+        expected_names.update({
+            requested,
+            requested + '.png',
+            requested + '.jpg',
+            requested + '.jpeg',
+            requested + '.webp',
+        })
+    for item in candidates:
+        name = str(item.get('name') or '')
+        url = str(item.get('url') or '')
+        if url and expected_names and name in expected_names:
+            return url
+    for item in candidates:
+        url = str(item.get('url') or '')
+        name = str(item.get('name') or '')
+        if url and (not name or re.search(r'\.(png|jpe?g|webp|gif)$', name, re.I)):
+            return url
+    return ''
+
+
 def git(cmd, cwd):
     """Run a shell command in a repo directory."""
     return sp.run(cmd, shell=True, cwd=cwd, capture_output=True, text=True)
@@ -1152,7 +1218,7 @@ def build_capture_script(url, capture_script, label, wait_for_selector='', viewp
     effective_viewport_matrix = None if script_handles_viewport_matrix else viewport_matrix
     pieces = [
         *viewport_matrix_setup_js(effective_viewport_matrix),
-        'await page.goto(' + json.dumps(url) + ');',
+        'await page.goto(' + json.dumps(url) + ', { waitUntil: "domcontentloaded", timeout: 30000 });',
     ]
     selector = (wait_for_selector or '').strip()
     if selector:
@@ -1179,33 +1245,44 @@ def capture_static_preview(state, project_dir, label, capture_script, timeout=30
             'raw': {'ok': False, 'error': 'No static build output found. Tried configured build_output, dist, build, out.'},
         }
 
-    preview = invoke_retry('riddle_preview', {'directory': build_dir, 'label': label}, retries=3, timeout=timeout)
-    if not preview.get('ok'):
-        return {
-            'ok': False,
-            'preview_id': preview.get('id', ''),
-            'preview_url': preview.get('preview_url') or preview.get('previewUrl') or '',
-            'url': '',
-            'raw': preview,
-        }
-    preview_url = preview.get('preview_url') or preview.get('previewUrl') or ''
-    preview_id = preview.get('id', '')
-    capture_url = join_url_path(preview_url, target_path or state.get('server_path', ''))
-
-    script = build_capture_script(capture_url, capture_script, label, state.get('wait_for_selector', ''), state.get('viewport_matrix'))
-    args = {'script': script, 'timeout_sec': 60}
+    static_server_command = (
+        (state.get('static_server_command') or '').strip()
+        or os.environ.get('RIDDLE_PROOF_STATIC_SERVER_COMMAND', '').strip()
+        or 'python3 -m http.server "$PORT" --bind 127.0.0.1'
+    )
+    target = target_path or state.get('server_path', '') or '/'
+    args = {
+        'directory': build_dir,
+        'command': static_server_command,
+        'port': int(state.get('server_port') or 3000),
+        'wait_until': 'domcontentloaded',
+        'readiness_timeout': 60,
+        'timeout': max(60, min(int(timeout or 300), 300)),
+        'path': target,
+        'readiness_path': '/',
+        'script': capture_script,
+    }
+    if state.get('wait_for_selector'):
+        args['wait_for_selector'] = state.get('wait_for_selector')
+    if state.get('color_scheme'):
+        args['color_scheme'] = state.get('color_scheme')
     apply_auth_context(state, args)
-    shot = invoke_retry('riddle_script', args, retries=3, timeout=max(timeout, 120))
+    shot = invoke_retry('riddle_server_preview', args, retries=2, timeout=max(timeout, 120))
     screenshots = shot.get('screenshots') or []
-    url = screenshots[0].get('url', '') if screenshots else ''
+    url = screenshots[0].get('url', '') if screenshots else capture_screenshot_url(shot, label)
     return {
         'ok': bool(url),
-        'preview_id': preview_id,
-        'preview_url': preview_url,
-        'capture_url': capture_url,
+        'preview_id': '',
+        'preview_url': shot.get('preview_url') or '',
+        'capture_url': shot.get('target_url') or target,
         'url': url,
         'raw': {
-            'preview': preview,
+            'preview': {
+                'ok': shot.get('ok'),
+                'runner': shot.get('runner'),
+                'preview_url': shot.get('preview_url') or '',
+                'target_url': shot.get('target_url') or '',
+            },
             'capture': shot,
         },
     }