leaderboard: open reports in new tab

Now that the Space is public, link completed submissions directly to their
proxied HTML reports instead of inlining large report payloads through the
row-click detail panel.

app.py

@@ -122,49 +122,12 @@ VALIDATION_GUIDELINES_MD = f"""Submissions appear on the **Unvalidated** table t
 
 Full policy: [`docs/benchmark/validation.md`]({VALIDATION_DOC_URL})."""
 
-DETAIL_PLACEHOLDER = "_Click a row above for details._"
 SUBMIT_STATUS_IDLE = (
     "_Log in, attach a zip, and click **Submit**. Progress and any "
     "errors appear here._"
 )
 
 
-def _has(value) -> bool:
-    """True for values that should show up in the detail panel."""
-    if value is None:
-        return False
-    if isinstance(value, float) and pd.isna(value):
-        return False
-    return str(value).strip() != ""
-
-
-def _build_report_iframe(html_bytes: bytes) -> str:
-    """Wrap a fetched report's HTML bytes into a self-contained iframe.
-
-    ``srcdoc`` puts the entire report HTML directly inside the iframe
-    attribute. The iframe gets its own document context, so the
-    report's CSS can't collide with Gradio's, and an explicit
-    ``height: 90vh`` keeps the report from being clipped by Gradio's
-    column-flex layout (which was the visible cut-off the user saw
-    in earlier rendering attempts).
-
-    The Space is private; the FastAPI ``/reports/<id>.html`` route
-    works server-side under Bearer auth but breaks for a logged-in
-    browser user (HF's edge gates same-origin pathname navigations
-    on a JWT that the browser doesn't carry forward). srcdoc
-    sidesteps that entirely by inlining the bytes; no second HTTP
-    request leaves the browser.
-    """
-    escaped = html.escape(
-        html_bytes.decode("utf-8", errors="replace"), quote=True,
-    )
-    return (
-        f'<iframe srcdoc="{escaped}" '
-        'style="width:100%; height:90vh; border:0; display:block;" '
-        'title="Submission report"></iframe>'
-    )
-
-
 def _data_error_banner_md(message: str | None) -> str:
     """Markdown for the top-of-tab data-unavailable banner.
 
@@ -523,58 +486,6 @@ def _admin_stop_delete(
     )
 
 
-def _format_detail_and_report(
-    df: pd.DataFrame | None, evt: gr.SelectData,
-) -> tuple[str, str]:
-    """Return ``(detail_markdown, report_iframe_html)`` for the clicked row.
-
-    The detail panel holds metadata (submitter, status, timestamp,
-    notes, links to ZIP and external agent URL). The HTML viewer
-    holds the rendered report when one exists (status == completed
-    AND the row carries the modern-pipeline ``submission_sha256``
-    sentinel) - the leaderboard reader computes ``report_url`` only
-    for rows that satisfy that gate.
-
-    Returns ``(DETAIL_PLACEHOLDER, "")`` on a null / out-of-range
-    event so the panel falls back to its initial state.
-    """
-    if df is None or len(df) == 0 or evt is None or evt.index is None:
-        return DETAIL_PLACEHOLDER, ""
-    idx = evt.index[0] if isinstance(evt.index, (list, tuple)) else evt.index
-    if idx < 0 or idx >= len(df):
-        return DETAIL_PLACEHOLDER, ""
-    row = df.iloc[idx]
-
-    title = row.get("submission_name") or "(unnamed submission)"
-    lines = [f"### {title}", ""]
-    if _has(row.get("submitter_name")):
-        lines.append(f"- **Submitter**: {row['submitter_name']}")
-    if _has(row.get("status")):
-        lines.append(f"- **Status**: {row['status']}")
-    if _has(row.get("submitted_at")):
-        lines.append(f"- **Submitted**: {_fmt_timestamp(row['submitted_at'])}")
-    if _has(row.get("notes")):
-        lines.append(f"- **Notes**: {row['notes']}")
-    lines.append(
-        f"- **Model details (optional)**: "
-        f"{row.get('model details (optional)') or '_None_'}"
-    )
-    if _has(row.get("submission_blob_url")):
-        lines.append(
-            f"- **Submission ZIP**: [download]({row['submission_blob_url']})"
-        )
-    if row.get("status") == "failed" and _has(row.get("failure_reason")):
-        lines.append(f"- **Failure reason**: {row['failure_reason']}")
-    detail_md = "\n".join(lines)
-
-    report_iframe = ""
-    if _has(row.get("report_url")) and _has(row.get("submission_id")):
-        content = _fetch_report_html(str(row["submission_id"]))
-        if content:
-            report_iframe = _build_report_iframe(content)
-    return detail_md, report_iframe
-
-
 @lru_cache(maxsize=128)
 def _fetch_report_html(submission_id: str) -> bytes | None:
     """Pull ``reports/<id>.html`` off the submissions dataset.
@@ -850,24 +761,12 @@ with gr.Blocks(title="CADGenBench Leaderboard", theme=gr.themes.Soft()) as block
         )
         download_btn.click(fn=build_combined_csv, outputs=download_btn)
 
-        # Row-click panel: one shared metadata markdown component +
-        # one report viewer below it. The viewer holds an iframe
-        # containing the full per-submission report (srcdoc-inlined
-        # so no second HTTP request needs to leave the browser - the
-        # Space is private and HF's edge would 404 same-origin
-        # pathname navigations that aren't carrying the iframe's
-        # short-lived `__sign` JWT). Both tables share both outputs.
-        detail_panel = gr.Markdown(
-            value=DETAIL_PLACEHOLDER,
-            label="Selected submission",
-        )
-        report_viewer = gr.HTML(value="", label="Report")
-        for view in (validated_view, unvalidated_view):
-            view.select(
-                fn=_format_detail_and_report,
-                inputs=view,
-                outputs=[detail_panel, report_viewer],
-            )
+        # No inline row-click detail panel: the submission_name cell is a
+        # deep-link that opens the self-contained per-submission report in
+        # a new tab (see `_submission_name_md` in leaderboard.py). Now that
+        # the Space is public, HF's edge serves `/reports/<id>.html` to
+        # browser users, so we link to it directly instead of inlining the
+        # (tens-to-hundreds-of-MB) report through the Gradio event payload.
 
     with gr.Tab("Submit"):
         gr.Markdown(

leaderboard.py

@@ -24,6 +24,7 @@ that the submit path also consumes.
 """
 from __future__ import annotations
 
+import html
 import json
 import logging
 import os
@@ -305,26 +306,32 @@ def _report_relative_url(submission_id, status, submission_sha256) -> str:
 
 
 def _submission_name_md(name, report_url) -> str:
-    """Render `submission_name` as plain text.
-
-    Earlier iterations wrapped this as a markdown link to the report
-    proxy at ``/reports/<id>.html``. On a private Space the link
-    works server-side (Bearer auth) but breaks for a logged-in user
-    in the browser: the iframe's `__sign` token doesn't propagate to
-    same-origin pathname navigations, and HF's edge returns 404
-    before the request reaches the FastAPI route. Reports are now
-    rendered inline via an iframe-srcdoc viewer below the detail
-    panel (see ``_format_detail_and_report`` in :mod:`app`), so the
-    submission_name cell stays plain text to avoid offering a link
-    that doesn't work.
-
-    `report_url` is accepted (and ignored) so the call sites don't
-    have to change when the Space eventually goes public and the
-    link can be restored.
+    """Render `submission_name`, linking to the report in a new tab.
+
+    Now that the Space is public, HF's edge serves the FastAPI
+    ``/reports/<id>.html`` route to in-browser users (it 404'd
+    same-origin pathname navigations while the Space was private,
+    which is why an earlier iteration kept this cell plain text and
+    inlined the report via an iframe-srcdoc viewer instead). So the
+    name cell becomes a deep-link that opens the self-contained
+    per-submission report in a **new tab** — the typical HF
+    leaderboard pattern, and far lighter than shipping the
+    (tens-to-hundreds-of-MB) report through the page on every click.
+
+    ``report_url`` is the relative ``/reports/<id>.html`` route the
+    reader computes only for completed modern-pipeline rows; rows
+    without one (pending / failed / legacy) render as plain text. The
+    name column is a ``markdown`` datatype, which renders inline HTML,
+    so a raw anchor with ``target="_blank"`` works; the name is
+    HTML-escaped so an odd submission name can't break the cell.
     """
     if _is_empty(name):
         return "(unnamed submission)"
-    return str(name)
+    label = html.escape(str(name))
+    if _is_empty(report_url):
+        return label
+    href = html.escape(str(report_url), quote=True)
+    return f'<a href="{href}" target="_blank" rel="noopener">{label}</a>'
 
 
 def load_leaderboard_split() -> tuple[pd.DataFrame, pd.DataFrame]:

tests/test_leaderboard.py

@@ -147,33 +147,32 @@ def test_hub_read_failure_raises_no_silent_fallback(monkeypatch):
         leaderboard.load_leaderboard_split()
 
 
-def test_submission_name_is_plain_text(monkeypatch):
-    """`submission_name` cells render as plain text on both tables.
-
-    Earlier iterations wrapped the name as a markdown link to the
-    report proxy, but the proxy URL 404s for logged-in users on a
-    private Space (no auth carryover on same-origin pathname
-    navigations). Reports are rendered inline via an iframe viewer
-    on row-click instead, so the name cell stays plain text.
+def test_submission_name_links_to_report_in_new_tab(monkeypatch):
+    """`submission_name` deep-links to the report in a new tab when one exists.
+
+    Now that the Space is public, the name cell is an anchor with
+    ``target="_blank"`` pointing at the ``/reports/<id>.html`` route
+    (completed modern-pipeline rows only). Rows without a report
+    (legacy / pre-pipeline, no ``submission_sha256``) stay plain text.
     """
     monkeypatch.setattr(leaderboard, "_load_rows_from_hub", lambda: _stub_rows())
     validated, unvalidated = leaderboard.load_leaderboard_split()
-    for name in [
-        "Alpha Agent v1",
-        "Beta Agent v2",
-        "Gamma baseline",
-    ]:
-        present = (
-            (validated["submission_name"] == name).any()
-            or (unvalidated["submission_name"] == name).any()
-        )
-        assert present, f"{name!r} should be present as a plain-text cell"
-    # The hidden `report_url` column is still computed (used by the
-    # row-click handler to decide whether to embed the report iframe).
+    # Modern completed rows -> new-tab anchor to their report route.
     alpha = validated.iloc[0]
     assert alpha["report_url"] == "/reports/sub-a.html"
-    gamma = unvalidated[unvalidated["submission_name"] == "Gamma baseline"].iloc[0]
+    assert alpha["submission_name"] == (
+        '<a href="/reports/sub-a.html" target="_blank" rel="noopener">'
+        "Alpha Agent v1</a>"
+    )
+    beta = unvalidated[unvalidated["submitter_name"] == "team-beta"].iloc[0]
+    assert beta["submission_name"] == (
+        '<a href="/reports/sub-b.html" target="_blank" rel="noopener">'
+        "Beta Agent v2</a>"
+    )
+    # Legacy row without a report -> plain text, no anchor.
+    gamma = unvalidated[unvalidated["submitter_name"] == "team-gamma"].iloc[0]
     assert gamma["report_url"] == ""
+    assert gamma["submission_name"] == "Gamma baseline"
 
 
 def test_model_details_column_renders(monkeypatch):

tests/test_proxy.py

@@ -1,24 +1,17 @@
-"""Unit tests for the report-proxy route and the inline iframe viewer.
+"""Unit tests for the report-proxy route.
 
-The Space exposes two paths for the per-submission HTML report:
-
-- ``/reports/{submission_id}.html`` (FastAPI route): re-serves the
-  file with ``Content-Type: text/html``. Works under Bearer auth
-  for programmatic clients; gets 404'd by HF's edge for logged-in
-  browser users on a private Space (no auth carryover across
-  same-origin pathname navigations). Kept as a backdoor / for the
-  future public migration.
-- ``_format_detail_and_report`` (row-click handler): server-side
-  fetches the report via ``hf_hub_download`` and inlines it into
-  an ``<iframe srcdoc=...>``. No browser HTTP request → no edge
-  auth gate → renders for any logged-in user.
+The Space exposes the per-submission HTML report at
+``/reports/{submission_id}.html`` (FastAPI route): it re-serves the
+file with ``Content-Type: text/html``. Now that the Space is public,
+HF's edge serves this route to in-browser users, so the leaderboard's
+submission_name cell links straight to it (opening in a new tab)
+rather than inlining the report into the page.
 
 Tests stub the Hub fetch via monkeypatch so the suite has zero
 network I/O.
 """
 from __future__ import annotations
 
-import re
 import types
 
 import pandas as pd
@@ -75,93 +68,6 @@ def test_proxy_route_is_registered():
     assert "/reports/{submission_id}.html" in routes
 
 
-# --- Inline iframe viewer (_format_detail_and_report) ----------------
-
-def _stub_row(**overrides):
-    base = {
-        "submission_id": "sub-test-x",
-        "submission_name": "Test Agent",
-        "submitter_name": "team-test",
-        "status": "completed",
-        "submitted_at": "2026-05-26T12:02:31Z",
-        "notes": None,
-        "model details (optional)": "_None_",
-        "submission_blob_url": "https://example.test/sub-test-x.zip",
-        "report_url": "/reports/sub-test-x.html",
-        "failure_reason": None,
-    }
-    base.update(overrides)
-    return pd.DataFrame([base])
-
-
-def _fake_evt(idx=0):
-    """Minimal stand-in for gr.SelectData with the .index attr we read."""
-    return types.SimpleNamespace(index=[idx, 0])
-
-
-def test_iframe_viewer_inlines_report_for_modern_row(monkeypatch):
-    """A completed modern row's HTML lands inside <iframe srcdoc>.
-
-    Confirms the fetched bytes are HTML-escaped (so `<html>` is not
-    re-parsed by the host page) and the iframe carries explicit
-    sizing so Gradio's column flex can't clip it vertically.
-    """
-    monkeypatch.setattr(
-        app, "_fetch_report_html",
-        lambda sid: b"<!DOCTYPE html><body><h1>Report for " + sid.encode() + b"</h1></body>",
-    )
-    df = _stub_row()
-    md, iframe = app._format_detail_and_report(df, _fake_evt())
-    assert "### Test Agent" in md
-    assert iframe.startswith('<iframe srcdoc="')
-    # HTML-escaped content: literal "<!DOCTYPE html>" becomes
-    # "&lt;!DOCTYPE html&gt;" inside the attribute.
-    assert "&lt;!DOCTYPE html&gt;" in iframe
-    assert "sub-test-x" in iframe
-    assert 'style="width:100%; height:90vh; border:0; display:block;"' in iframe
-
-
-def test_iframe_viewer_empty_for_pending_or_failed_row(monkeypatch):
-    """Rows without a report_url get an empty viewer (no iframe at all).
-
-    Pending: still evaluating; no report exists yet. Failed: eval
-    crashed; no report uploaded. Legacy: pre-modern-pipeline; the
-    file genuinely doesn't exist on the dataset. All three are
-    handled by the same `report_url == ""` gate.
-    """
-    monkeypatch.setattr(app, "_fetch_report_html", lambda sid: b"unused")
-    for row_overrides in [
-        {"status": "pending", "report_url": ""},
-        {"status": "failed", "report_url": "", "failure_reason": "boom"},
-        {"status": "completed", "report_url": ""},  # legacy
-    ]:
-        df = _stub_row(**row_overrides)
-        md, iframe = app._format_detail_and_report(df, _fake_evt())
-        assert iframe == "", f"expected empty viewer for {row_overrides}"
-        # The metadata panel still renders.
-        assert "### Test Agent" in md
-
-
-def test_iframe_viewer_falls_back_to_empty_when_fetch_fails(monkeypatch):
-    """If _fetch_report_html returns None (Hub blip), no iframe is emitted.
-
-    Avoids surfacing a broken iframe on a transient failure.
-    """
-    monkeypatch.setattr(app, "_fetch_report_html", lambda sid: None)
-    df = _stub_row()
-    _md, iframe = app._format_detail_and_report(df, _fake_evt())
-    assert iframe == ""
-
-
-def test_iframe_viewer_returns_placeholder_on_null_event():
-    """A null SelectData (no row clicked) returns placeholder + empty viewer."""
-    df = _stub_row()
-    fake = types.SimpleNamespace(index=None)
-    md, iframe = app._format_detail_and_report(df, fake)
-    assert md == app.DETAIL_PLACEHOLDER
-    assert iframe == ""
-
-
 # --- Boot resilience: no silent fallback, but no crash either -------
 #
 # leaderboard.load_leaderboard_split / load_admin_table *raise*
@@ -304,25 +210,3 @@ def test_refresh_handler_shows_banner_and_warns_on_error(monkeypatch):
     assert len(validated) == 0 and len(unvalidated) == 0
     # The banner output is a gr.Markdown update flipped visible.
     assert getattr(banner, "visible", None) is True
-
-
-def test_iframe_escape_is_attribute_safe(monkeypatch):
-    """Quotes / ampersands inside the report HTML are escaped properly.
-
-    A `"` inside the report would otherwise terminate the srcdoc
-    attribute prematurely and break parsing. Regression guard.
-    """
-    monkeypatch.setattr(
-        app, "_fetch_report_html",
-        lambda sid: b'<html><body>tag: <a href="https://x.test">x</a> & co.</body></html>',
-    )
-    df = _stub_row()
-    _md, iframe = app._format_detail_and_report(df, _fake_evt())
-    # Within the srcdoc value, double-quotes must be HTML-escaped.
-    srcdoc = re.search(r'srcdoc="(.*)"\s+style=', iframe, re.DOTALL)
-    assert srcdoc is not None
-    inner = srcdoc.group(1)
-    # No unescaped " inside the attribute value.
-    assert '"' not in inner
-    assert "&quot;" in inner
-    assert "&amp;" in inner