v2.1 §11.2's real acceptance test is a human action: open the page, look, confirm amber is not green. That is the render boundary, and it is the only one with no machine check, because the dashboard is an uncontracted UI: it declares no state model, so the only available tooling is snapshot/visual-regression, which asserts "matches the recording," not "satisfies an invariant."

v3 specifies the oracle: a headless process that consumes the read surface, folds the event stream into a canonical state from this spec, and asserts the live DOM is a faithful projection of that state. It is read-only. It never ingests, never binds, never touches the receiver's internals. It converts the render boundary from human-in-the-loop to a sandboxed pass/fail.

Tom Bombadil is the figure outside the system's power: the Ring does not act on him because he is not part of the order it governs. The oracle is Bombadil. It computes the canonical state from the event stream and this spec's reducer, never from the dashboard's code, so a buggy dashboard cannot corrupt the reference it is judged against. The dashboard is inside the system under test; the oracle stands outside it.

The render-conformance predicate, stated once:

observe(DOM)  ≡  project( fold( stream ) )

• fold is the reference reducer (§4): event stream → canonical state. Spec-derived, total.
• project is the declared lossy map (§5): canonical state → expected semantic DOM.
• observe extracts the actual semantic DOM (§6) from the live page.
• ≡ is observational equality over the semantic surface (§6), not pixels.

Everything interesting is in the totality of fold over hostile input and the exactness of project. If both are honored the predicate is dull, which is the point: dull is what "verified" should feel like.

The oracle MUST NOT hard-code read paths. It MUST start at GET / (v2.1 §6.2), read _links, and use rel = info, snapshot, stream to resolve the probe, the snapshot read, and the live feed. A receiver that moves a path but keeps the index stays oracle-compatible. The oracle MUST treat a missing _links entry it needs as a discovery failure, distinct from a render failure.

project is the exact set of transforms the DOM applies. The oracle computes them and asserts the DOM matches. These are the dashboard's render rules promoted to a contract.

Render invariants, the ones worth a fixture each:

P-COLOR   for all s != ok : color(s) != green               ; the visible end of I-COERCE
P-BADGE   mode=demo => badge present on EVERY tick, not just first paint
P-EMPTY   live ∧ empty => empty state, never synthetic rows  ; provenance, not "never blank"
P-LOSSY   the DOM shows ONLY projected forms; the oracle compares against project(state),
          so an over-faithful DOM (e.g. full id) is a conformance miss as much as a wrong one

This is the minimal addition that converts the dashboard from uncontracted to contracted. To be oracle-checkable, the dashboard MUST expose a stable semantic surface, so observe reads structure, not pixels and not brittle text position.

- one element per rendered sighting carrying:
    data-cn-id, data-cn-name, data-cn-service, data-cn-duration-ms,
    data-cn-status (raw enum: ok|error|unknown), data-cn-origin, data-cn-sha
- the status COLOR is a class the oracle can map back to {green,red,amber}
  (so P-COLOR is checkable without sampling pixels)
- a root element carrying data-cn-mode = live|demo|version-mismatch|access-denied
- an empty-state element with data-cn-empty when applicable
- a poisoned-state element with data-cn-poisoned when applicable

observe reads these into the same State shape fold produces, and the predicate is a structural diff. Without this surface the oracle degrades to text scraping, which reintroduces the snapshot brittleness v3 exists to remove. The semantic DOM contract IS the UI's state contract: it is the declared projection surface, the thing a normal dashboard never publishes.

digraph harness {
  rankdir=LR;
  bgcolor=white;
  graph [fontname="Helvetica", fontsize=11, pad=0.3, nodesep=0.45, ranksep=0.55];
  node  [fontname="Helvetica", fontsize=10, style="rounded,filled", shape=box, penwidth=1.2];
  edge  [fontname="Helvetica", fontsize=9, color="#888888", fontcolor="#555555"];

  // Fixture stream -- blue family (Tailwind 50/100/700)
  S   [label="scripted stream\nfixture sequence",
       fillcolor="#dbeafe", color="#1d4ed8", fontcolor="#1d4ed8"];

  // Receiver + browser -- amber family
  RCV [label="controlled receiver\n(reference or fixture-driven)",
       fillcolor="#fef3c7", color="#b45309", fontcolor="#b45309"];
  PG  [label="headless browser\nreal dashboard bundle",
       fillcolor="#fef3c7", color="#b45309", fontcolor="#b45309"];

  // Oracle -- violet family
  ORC [label="oracle: fold + project",
       fillcolor="#ede9fe", color="#6d28d9", fontcolor="#6d28d9"];

  // Compare + report -- green family
  CMP [label="≡ ?", shape=diamond,
       fillcolor="#dcfce7", color="#15803d", fontcolor="#15803d"];
  R   [label="conformance report\nper-invariant pass/fail",
       fillcolor="#dcfce7", color="#15803d", fontcolor="#15803d"];

  S   -> RCV;
  RCV -> PG  [label="read surface"];
  S   -> ORC;
  PG  -> CMP [label="observe semantic DOM"];
  ORC -> CMP;
  CMP -> R;
}

• Headless browser. Playwright or equivalent loading the real production bundle.
• Controlled receiver. The oracle drives a receiver it scripts (the reference receiver in a fixture mode, or a fixture player), so the stream is deterministic.
• Local-network grant. The harness MUST pre-grant local-network access for the dashboard origin so the loopback probe is not blocked headlessly (Playwright context permission grant / CDP / launch policy). The oracle is also the one place access-denied is testable: run once granted (expect live), once denied (expect access-denied, NOT demo). A deployed client cannot script this.
• Settling. The dashboard is poll-or-stream (v2.1 §7; the shipped bundle polls). The oracle MUST settle on the read mode it observes: for poll, await the next interval; for SSE, assert prepend-on-event. Conformance is judged on the settled DOM.
• Diff. Structural, over the semantic surface, against project(fold(stream)).

// scaffold; contract-bearing parts concrete, scripting marked TODO.
import { chromium } from "playwright";

const DASH = "https://wal.sh/tools/crowsnest/";
const ORIGIN = "https://wal.sh";

export async function runOracle(stream /* Event[] */, opts = { grant: true }) {
  const browser = await chromium.launch();
  const ctx = await browser.newContext();
  // LNA: pre-grant (or withhold) the loopback permission for the origin.
  if (opts.grant) await ctx.grantPermissions(["local-network-access"], { origin: ORIGIN });
  const page = await ctx.newPage();

  // TODO(builder): start a controlled receiver, replay `stream` into it.
  await page.goto(DASH);
  await settle(page);                       // TODO: await poll tick or SSE drain

  const observed = await observe(page);     // read data-cn-* into State shape
  const expected = project(fold(stream));   // Bombadil reference, spec-derived
  const report = diff(expected, observed, INVARIANTS); // per-invariant pass/fail
  await browser.close();
  return report;
}
// fold / project / observe / diff: §4 §5 §6. INVARIANTS: I-* and P-*.

These are stated as non-requirements, not omitted, because the trust domain is the local box. Each carries the condition under which it would become a requirement (§10).

NR-AUTH    the read surface is unauthenticated by loopback trust; the oracle models no
           identity, session, or credential. Becomes a requirement off-box (§10).
NR-CONF    no confidentiality on-box: any local process can GET the log. The oracle does
           not test access control because there is none by design.
NR-INTEG   no provenance on sightings: any local process can POST. The oracle tests
           render faithfulness, not authenticity of the data rendered.
NR-XSS     F1 (a same-origin script can read the whole log) is an acknowledged residual
           of the v2.1 boundary audit. Out of oracle scope: the oracle judges whether the
           DOM faithfully projects state, not whether the page is XSS-free. (If you want
           the XSS-inert-render check, that is a separate dashboard fixture, not the oracle.)
NR-LNA     the only browser-plane gate the oracle handles is the local-network grant and
           connect-src; both are loopback-scoped and pre-granted in the harness.

The honest framing: these are non-requirements because nothing crosses the machine. Section 10 is the same oracle with the box removed, where every NR above except NR-XSS inverts into a requirement.

The oracle passes iff every fixture's observe ≡ project(fold) holds. The two marked [hole] are the regions v2.1 §11.2 structurally could not reach, because §11.2 requires a live receiver and so never exercises receiver-absent or denied paths.

O1  minimal        one ok sighting             -> one green row, projected forms
O2  coercion       status="warning"            -> amber row (P-COLOR), never green
O3  order          three out-of-order arrivals -> newest-first (I-ORDER)
O4  cap            120 sightings               -> exactly 100 rendered (I-CAP)
O5  poison         one duration=NaN in stream  -> empty log + poisoned indicator (I-POISON)
O6  host           attrs.host=nexus            -> origin column = nexus
O7  demo  [hole]   no receiver                 -> demo badge, persists across >=3 ticks (P-BADGE)
O8  empty          live, empty log             -> explicit empty state, no seeds (P-EMPTY)
O9  vmismatch      receiver MAJOR != dashboard -> version badge, not demo
O10 denied [hole]  receiver up, grant withheld -> access-denied hint, not demo (NR-LNA)

- A stream whose fold/project says row R should render, and the settled DOM lacks R.
- The DOM renders a status as green that fold marked unknown (P-COLOR / I-COERCE).
- A demo session whose badge is present at first paint and absent after a later tick.
- A poisoned stream that renders any rows instead of the empty+poisoned state.
- The oracle cannot distinguish access-denied from demo even with grant control (then
  §4.4's four-state model is unobservable and collapses to three; spec must say so).
- The dashboard exposes no stable semantic surface (§6), forcing text scraping (then v3
  has not actually contracted the UI and the render boundary is still open).

The sighting is a degenerate case of a general shape: an observation of a monitored entity's state over time. The oracle pattern, fold an event stream into canonical state, project to a view, assert the rendered view, is indifferent to whether the entity is a local agent operation or a production service. The Prisma model you pasted is that general shape already.

The :REVIEW: drawers above register this draft into wal-sh.site.annotations. To inspect open reviews from the REPL:

(require '[wal-sh.site.annotations :as ann])
(def d (ann/scan-site "site/tools/crowsnest"))   ; scan this spec's directory
(def v3 (filter #(re-find #"spec-v3" (:file %)) d))
(ann/needs-review v3)                            ; reviewers see this list
;; clear an item by adding to its drawer: :VERIFIED_AT:, :VERIFIED_BY:, :VERDICT:
;; per-verdict filters:
;; (ann/by-verdict v3 "correct") / "corrected" / "disputed" / "needs-citation"