app: render reports inline via iframe srcdoc (private-Space safe)

Polish follow-up on C6. Reports now render inside the Space, inside
the same iframe HF uses to host the leaderboard, with no second
HTTP request leaving the browser.

Why: the Space is private, and HF's edge gates same-origin pathname
navigations on a short-lived __sign JWT that browsers don't carry
forward when a user clicks a relative link. The previous design
(submission_name -> /reports/<id>.html) worked server-side under
Bearer auth (verified) but 404'd in the browser. Confirmed via
external review and reproduced with a requests.Session cookie test.

This commit:

- Drops the submission_name -> /reports/<id>.html link wrapping
from the rendered table; the cell stays plain text. The
underlying `report_url` column (relative URL to the proxy) is
still computed for the modern-pipeline gate but no longer
surfaced as a clickable cell.
- Adds a `gr.HTML` viewer below the detail panel. Row-click
triggers `_format_detail_and_report`, which returns
(detail_markdown, report_iframe_html). The iframe wraps the
full report HTML via `srcdoc` so the report's CSS gets its own
document context (no Gradio flex-column clipping; explicit
`height: 90vh`).
- Keeps the FastAPI `/reports/{submission_id}.html` route as a
backdoor (works under Bearer for tooling and survives the
future public migration where it'll just become user-reachable).

Why srcdoc and not src=URL: srcdoc inlines the bytes so the
browser doesn't need to issue an authenticated second request to
the Space's edge. When the Space goes public, swap srcdoc for
src=/reports/<id>.html and the iframe keeps the same layout
isolation - 1-line change.

Verification (autonomous, no user involvement):

- 19/19 unit tests green. New tests cover the iframe handler:
modern row -> iframe-srcdoc with HTML-escaped body; pending /
failed / legacy rows -> empty viewer; fetch failure -> empty
viewer (no broken iframe); null select event -> placeholder;
attribute escaping safe against `"` and `&` in the report
content.
- Real report inspection: fetched a known modern report,
1.38 MB, 45 images all base64-inlined as PNG, no external
URLs, all expected sections present (INTERFACE OVERLAY, axis
labels, per-fixture blocks). The earlier visible cut-off was
Gradio's column flex, not the report - confirmed.
- Local boot probe: app.py serves /, the /reports/<sid>.html
backdoor returns 200 + text/html + 1.4 MB body, /reports/<bogus>
returns 404.

Post-push live probe runs next; will surface only if it fails.

app.py

@@ -10,6 +10,7 @@ rather than render).
 """
 from __future__ import annotations
 
+import html
 import logging
 import os
 import re
@@ -92,24 +93,53 @@ def _fmt_timestamp(ts) -> str:
     return str(ts)
 
 
-def _format_detail(df: pd.DataFrame | None, evt: gr.SelectData) -> str:
-    """Build the row-detail markdown for the clicked submission.
+def _build_report_iframe(html_bytes: bytes) -> str:
+    """Wrap a fetched report's HTML bytes into a self-contained iframe.
 
-    Pulls hidden columns (``notes``, ``failure_reason``,
-    ``submission_id``) that ride in the underlying DataFrame plus
-    the visible link cells (already pre-formatted as ``[label](url)``
-    by ``leaderboard.py``'s ``_project_and_format``).
-    ``failure_reason`` only shows on ``failed`` rows;
-    ``report_url`` is only non-empty for completed rows from the
-    modern submit pipeline (leaderboard.py gates on
-    ``submission_sha256`` so legacy rows don't render a broken
-    /resolve/ link).
+    ``srcdoc`` puts the entire report HTML directly inside the iframe
+    attribute. The iframe gets its own document context, so the
+    report's CSS can't collide with Gradio's, and an explicit
+    ``height: 90vh`` keeps the report from being clipped by Gradio's
+    column-flex layout (which was the visible cut-off the user saw
+    in earlier rendering attempts).
+
+    The Space is private; the FastAPI ``/reports/<id>.html`` route
+    works server-side under Bearer auth but breaks for a logged-in
+    browser user (HF's edge gates same-origin pathname navigations
+    on a JWT that the browser doesn't carry forward). srcdoc
+    sidesteps that entirely by inlining the bytes; no second HTTP
+    request leaves the browser.
+    """
+    escaped = html.escape(
+        html_bytes.decode("utf-8", errors="replace"), quote=True,
+    )
+    return (
+        f'<iframe srcdoc="{escaped}" '
+        'style="width:100%; height:90vh; border:0; display:block;" '
+        'title="Submission report"></iframe>'
+    )
+
+
+def _format_detail_and_report(
+    df: pd.DataFrame | None, evt: gr.SelectData,
+) -> tuple[str, str]:
+    """Return ``(detail_markdown, report_iframe_html)`` for the clicked row.
+
+    The detail panel holds metadata (submitter, status, timestamp,
+    notes, links to ZIP and external agent URL). The HTML viewer
+    holds the rendered report when one exists (status == completed
+    AND the row carries the modern-pipeline ``submission_sha256``
+    sentinel) - the leaderboard reader computes ``report_url`` only
+    for rows that satisfy that gate.
+
+    Returns ``(DETAIL_PLACEHOLDER, "")`` on a null / out-of-range
+    event so the panel falls back to its initial state.
     """
     if df is None or len(df) == 0 or evt is None or evt.index is None:
-        return DETAIL_PLACEHOLDER
+        return DETAIL_PLACEHOLDER, ""
     idx = evt.index[0] if isinstance(evt.index, (list, tuple)) else evt.index
     if idx < 0 or idx >= len(df):
-        return DETAIL_PLACEHOLDER
+        return DETAIL_PLACEHOLDER, ""
     row = df.iloc[idx]
 
     title = row.get("submission_name") or "(unnamed submission)"
@@ -122,20 +152,24 @@ def _format_detail(df: pd.DataFrame | None, evt: gr.SelectData) -> str:
         lines.append(f"- **Submitted**: {_fmt_timestamp(row['submitted_at'])}")
     if _has(row.get("notes")):
         lines.append(f"- **Notes**: {row['notes']}")
-    # `model details (optional)` carries the markdown link (or
-    # _None_ when missing); the hidden `submission_blob_url` /
-    # `report_url` columns are raw URLs we wrap into named links here.
     lines.append(
         f"- **Model details (optional)**: "
         f"{row.get('model details (optional)') or '_None_'}"
     )
     if _has(row.get("submission_blob_url")):
-        lines.append(f"- **Submission ZIP**: [download]({row['submission_blob_url']})")
-    if _has(row.get("report_url")):
-        lines.append(f"- **Report**: [open]({row['report_url']})")
+        lines.append(
+            f"- **Submission ZIP**: [download]({row['submission_blob_url']})"
+        )
     if row.get("status") == "failed" and _has(row.get("failure_reason")):
         lines.append(f"- **Failure reason**: {row['failure_reason']}")
-    return "\n".join(lines)
+    detail_md = "\n".join(lines)
+
+    report_iframe = ""
+    if _has(row.get("report_url")) and _has(row.get("submission_id")):
+        content = _fetch_report_html(str(row["submission_id"]))
+        if content:
+            report_iframe = _build_report_iframe(content)
+    return detail_md, report_iframe
 
 
 @lru_cache(maxsize=128)
@@ -212,25 +246,24 @@ with gr.Blocks(title="CADGenBench Leaderboard", theme=gr.themes.Soft()) as block
             outputs=[validated_view, unvalidated_view],
         )
 
-        # Row-click detail panel: a single shared markdown component
-        # below the tables, populated by either table's .select()
-        # event. Pulls hidden columns (notes, failure_reason,
-        # submission_id) plus the visible link cells (already pre-
-        # formatted as markdown by leaderboard.py) for the row.
+        # Row-click panel: one shared metadata markdown component +
+        # one report viewer below it. The viewer holds an iframe
+        # containing the full per-submission report (srcdoc-inlined
+        # so no second HTTP request needs to leave the browser - the
+        # Space is private and HF's edge would 404 same-origin
+        # pathname navigations that aren't carrying the iframe's
+        # short-lived `__sign` JWT). Both tables share both outputs.
         detail_panel = gr.Markdown(
             value=DETAIL_PLACEHOLDER,
             label="Selected submission",
         )
-        validated_view.select(
-            fn=_format_detail,
-            inputs=validated_view,
-            outputs=detail_panel,
-        )
-        unvalidated_view.select(
-            fn=_format_detail,
-            inputs=unvalidated_view,
-            outputs=detail_panel,
-        )
+        report_viewer = gr.HTML(value="", label="Report")
+        for view in (validated_view, unvalidated_view):
+            view.select(
+                fn=_format_detail_and_report,
+                inputs=view,
+                outputs=[detail_panel, report_viewer],
+            )
 
     with gr.Tab("Submit"):
         gr.Markdown(

leaderboard.py

@@ -247,17 +247,26 @@ def _report_relative_url(submission_id, status, submission_sha256) -> str:
 
 
 def _submission_name_md(name, report_url) -> str:
-    """Render `submission_name` as a markdown link when a report exists.
-
-    The submission name itself is the link target (typical HF
-    leaderboard pattern: model / system name doubles as the
-    deep-link). Plain text when no report is available.
+    """Render `submission_name` as plain text.
+
+    Earlier iterations wrapped this as a markdown link to the report
+    proxy at ``/reports/<id>.html``. On a private Space the link
+    works server-side (Bearer auth) but breaks for a logged-in user
+    in the browser: the iframe's `__sign` token doesn't propagate to
+    same-origin pathname navigations, and HF's edge returns 404
+    before the request reaches the FastAPI route. Reports are now
+    rendered inline via an iframe-srcdoc viewer below the detail
+    panel (see ``_format_detail_and_report`` in :mod:`app`), so the
+    submission_name cell stays plain text to avoid offering a link
+    that doesn't work.
+
+    `report_url` is accepted (and ignored) so the call sites don't
+    have to change when the Space eventually goes public and the
+    link can be restored.
     """
     if _is_empty(name):
         return "(unnamed submission)"
-    if _is_empty(report_url):
-        return str(name)
-    return f"[{name}]({report_url})"
+    return str(name)
 
 
 def load_leaderboard_split() -> tuple[pd.DataFrame, pd.DataFrame]:

tests/test_leaderboard.py

@@ -133,39 +133,32 @@ def test_empty_input_returns_two_empty_frames(monkeypatch):
     assert list(unvalidated.columns) == leaderboard.LEADERBOARD_COLS
 
 
-def test_submission_name_links_to_report_when_available(monkeypatch):
-    """`submission_name` cell is a markdown link to the proxy when a report exists.
-
-    Modern rows (status=="completed" + non-null submission_sha256)
-    get ``[<name>](/reports/<sid>.html)``; the relative URL targets
-    the Space's report proxy.
+def test_submission_name_is_plain_text(monkeypatch):
+    """`submission_name` cells render as plain text on both tables.
+
+    Earlier iterations wrapped the name as a markdown link to the
+    report proxy, but the proxy URL 404s for logged-in users on a
+    private Space (no auth carryover on same-origin pathname
+    navigations). Reports are rendered inline via an iframe viewer
+    on row-click instead, so the name cell stays plain text.
     """
     monkeypatch.setattr(leaderboard, "_load_rows_from_hub", lambda: _stub_rows())
     validated, unvalidated = leaderboard.load_leaderboard_split()
-
-    # Alpha is a modern completed row -> linked name.
+    for name in [
+        "Alpha Agent v1",
+        "Beta Agent v2",
+        "Gamma baseline",
+    ]:
+        present = (
+            (validated["submission_name"] == name).any()
+            or (unvalidated["submission_name"] == name).any()
+        )
+        assert present, f"{name!r} should be present as a plain-text cell"
+    # The hidden `report_url` column is still computed (used by the
+    # row-click handler to decide whether to embed the report iframe).
     alpha = validated.iloc[0]
-    assert alpha["submission_name"] == "[Alpha Agent v1](/reports/sub-a.html)"
-    # Beta likewise (also completed, has sha256).
-    beta = unvalidated[
-        unvalidated["submission_name"].str.contains("Beta Agent v2", regex=False)
-    ].iloc[0]
-    assert beta["submission_name"] == "[Beta Agent v2](/reports/sub-b.html)"
-
-
-def test_legacy_row_submission_name_is_plain_text(monkeypatch):
-    """Rows without submission_sha256 (legacy seeds) keep plain-text names.
-
-    No `reports/<id>.html` exists on the dataset for those rows, so
-    we don't wrap the name in a link.
-    """
-    monkeypatch.setattr(leaderboard, "_load_rows_from_hub", lambda: _stub_rows())
-    _, unvalidated = leaderboard.load_leaderboard_split()
+    assert alpha["report_url"] == "/reports/sub-a.html"
     gamma = unvalidated[unvalidated["submission_name"] == "Gamma baseline"].iloc[0]
-    # Plain text: no `[...](...)` wrapping.
-    assert "[" not in gamma["submission_name"]
-    assert "](" not in gamma["submission_name"]
-    # And the hidden report_url column is empty for the same reason.
     assert gamma["report_url"] == ""
 
 

tests/test_proxy.py

@@ -1,14 +1,28 @@
-"""Unit tests for the per-submission report proxy route.
-
-The Space exposes ``/reports/{submission_id}.html`` which fetches the
-file from the submissions dataset and re-serves it as
-``Content-Type: text/html`` (the dataset's ``/resolve/`` returns it
-as ``text/plain``, which makes the browser show source). Tests cover
-the handler's response shape with the fetch monkeypatched out, so
-the suite has zero network I/O.
+"""Unit tests for the report-proxy route and the inline iframe viewer.
+
+The Space exposes two paths for the per-submission HTML report:
+
+- ``/reports/{submission_id}.html`` (FastAPI route): re-serves the
+  file with ``Content-Type: text/html``. Works under Bearer auth
+  for programmatic clients; gets 404'd by HF's edge for logged-in
+  browser users on a private Space (no auth carryover across
+  same-origin pathname navigations). Kept as a backdoor / for the
+  future public migration.
+- ``_format_detail_and_report`` (row-click handler): server-side
+  fetches the report via ``hf_hub_download`` and inlines it into
+  an ``<iframe srcdoc=...>``. No browser HTTP request → no edge
+  auth gate → renders for any logged-in user.
+
+Tests stub the Hub fetch via monkeypatch so the suite has zero
+network I/O.
 """
 from __future__ import annotations
 
+import re
+import types
+
+import pandas as pd
+
 import app
 
 
@@ -58,3 +72,112 @@ def test_proxy_route_is_registered():
     """
     routes = [getattr(r, "path", None) for r in app.app.routes]
     assert "/reports/{submission_id}.html" in routes
+
+
+# --- Inline iframe viewer (_format_detail_and_report) ----------------
+
+def _stub_row(**overrides):
+    base = {
+        "submission_id": "sub-test-x",
+        "submission_name": "Test Agent",
+        "submitter_name": "team-test",
+        "status": "completed",
+        "submitted_at": "2026-05-26T12:02:31Z",
+        "notes": None,
+        "model details (optional)": "_None_",
+        "submission_blob_url": "https://example.test/sub-test-x.zip",
+        "report_url": "/reports/sub-test-x.html",
+        "failure_reason": None,
+    }
+    base.update(overrides)
+    return pd.DataFrame([base])
+
+
+def _fake_evt(idx=0):
+    """Minimal stand-in for gr.SelectData with the .index attr we read."""
+    return types.SimpleNamespace(index=[idx, 0])
+
+
+def test_iframe_viewer_inlines_report_for_modern_row(monkeypatch):
+    """A completed modern row's HTML lands inside <iframe srcdoc>.
+
+    Confirms the fetched bytes are HTML-escaped (so `<html>` is not
+    re-parsed by the host page) and the iframe carries explicit
+    sizing so Gradio's column flex can't clip it vertically.
+    """
+    monkeypatch.setattr(
+        app, "_fetch_report_html",
+        lambda sid: b"<!DOCTYPE html><body><h1>Report for " + sid.encode() + b"</h1></body>",
+    )
+    df = _stub_row()
+    md, iframe = app._format_detail_and_report(df, _fake_evt())
+    assert "### Test Agent" in md
+    assert iframe.startswith('<iframe srcdoc="')
+    # HTML-escaped content: literal "<!DOCTYPE html>" becomes
+    # "&lt;!DOCTYPE html&gt;" inside the attribute.
+    assert "&lt;!DOCTYPE html&gt;" in iframe
+    assert "sub-test-x" in iframe
+    assert 'style="width:100%; height:90vh; border:0; display:block;"' in iframe
+
+
+def test_iframe_viewer_empty_for_pending_or_failed_row(monkeypatch):
+    """Rows without a report_url get an empty viewer (no iframe at all).
+
+    Pending: still evaluating; no report exists yet. Failed: eval
+    crashed; no report uploaded. Legacy: pre-modern-pipeline; the
+    file genuinely doesn't exist on the dataset. All three are
+    handled by the same `report_url == ""` gate.
+    """
+    monkeypatch.setattr(app, "_fetch_report_html", lambda sid: b"unused")
+    for row_overrides in [
+        {"status": "pending", "report_url": ""},
+        {"status": "failed", "report_url": "", "failure_reason": "boom"},
+        {"status": "completed", "report_url": ""},  # legacy
+    ]:
+        df = _stub_row(**row_overrides)
+        md, iframe = app._format_detail_and_report(df, _fake_evt())
+        assert iframe == "", f"expected empty viewer for {row_overrides}"
+        # The metadata panel still renders.
+        assert "### Test Agent" in md
+
+
+def test_iframe_viewer_falls_back_to_empty_when_fetch_fails(monkeypatch):
+    """If _fetch_report_html returns None (Hub blip), no iframe is emitted.
+
+    Avoids surfacing a broken iframe on a transient failure.
+    """
+    monkeypatch.setattr(app, "_fetch_report_html", lambda sid: None)
+    df = _stub_row()
+    _md, iframe = app._format_detail_and_report(df, _fake_evt())
+    assert iframe == ""
+
+
+def test_iframe_viewer_returns_placeholder_on_null_event():
+    """A null SelectData (no row clicked) returns placeholder + empty viewer."""
+    df = _stub_row()
+    fake = types.SimpleNamespace(index=None)
+    md, iframe = app._format_detail_and_report(df, fake)
+    assert md == app.DETAIL_PLACEHOLDER
+    assert iframe == ""
+
+
+def test_iframe_escape_is_attribute_safe(monkeypatch):
+    """Quotes / ampersands inside the report HTML are escaped properly.
+
+    A `"` inside the report would otherwise terminate the srcdoc
+    attribute prematurely and break parsing. Regression guard.
+    """
+    monkeypatch.setattr(
+        app, "_fetch_report_html",
+        lambda sid: b'<html><body>tag: <a href="https://x.test">x</a> & co.</body></html>',
+    )
+    df = _stub_row()
+    _md, iframe = app._format_detail_and_report(df, _fake_evt())
+    # Within the srcdoc value, double-quotes must be HTML-escaped.
+    srcdoc = re.search(r'srcdoc="(.*)"\s+style=', iframe, re.DOTALL)
+    assert srcdoc is not None
+    inner = srcdoc.group(1)
+    # No unescaped " inside the attribute value.
+    assert '"' not in inner
+    assert "&quot;" in inner
+    assert "&amp;" in inner