Phase-1c: resource plan -> 4GB/4GB under a 12GB guideline (not 2GB)

Per operator: don't downsize cc-nix-test to 2GB. Instead raise the terraform-ci running-RAM
guideline to ~12GB (it's doc-only — the project has no enforced limits.memory; b1 is 16GB),
resize cc-nix-test 6->4GB, and create the throwaway VM at 4GB (4+4+lichen 4 = 12 <= 16).
Updated W1/W3/C6/§4 and the incus memory note.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

cc-ci-plan/plan-phase1c-full-reproducibility.md

@@ -92,10 +92,12 @@ Terminates only when every item holds **and the Adversary has independently re-v
       single aspect genuinely can't be reproduced, it is a narrowly-scoped, Adversary-signed-off
       limitation with the maximal tested subset (bar per Phase-1b §7.1 / Adversary mandate) — not a
       blanket "infeasible."
-- [ ] **C6 — Resource fit + cleanup.** `cc-nix-test` resized to **2 GB** to free b1 headroom for a
-      properly-sized throwaway VM (§5 step 1); the throwaway VM is **destroyed** after the test (no
-      leftover, respect the `terraform-ci` <10 GB-running cap); final `cc-nix-test` sizing decided and
-      applied (restore to 6 GB, or promote the rebuilt VM — record in `DECISIONS.md`).
+- [ ] **C6 — Resource fit + cleanup.** `cc-nix-test` resized **6 GB→4 GB** and the throwaway VM
+      created at **4 GB**, within the **~12 GB running-RAM guideline** (cc-nix-test 4 + lichen-staging 4
+      + throwaway 4 = 12 ≤ 16 GB physical on b1; the guideline is doc-only, not an enforced project
+      limit). The throwaway VM is **destroyed** after the test (no leftover). Final `cc-nix-test`
+      sizing decided and applied (keep 4 GB, restore to 6 GB, or promote the rebuilt VM — record in
+      `DECISIONS.md`).
 - [ ] **C7 — Docs.** `docs/install.md`, `docs/secrets.md`, `architecture.md`, and the main plan's
       cert/secret references (§1.5/§4.0/§4.4) updated to the new model: clone base+instance + provision
       the age key + (external) DNS/gateway → one `nixos-rebuild switch`. A new engineer can stand up a
@@ -111,24 +113,26 @@ The loops normally only `ssh cc-ci`. For 1c they MAY drive Incus on **b1** (resi
 create/destroy ONE throwaway VM in `terraform-ci`), using the mTLS certs at
 `/srv/incus-terraform-nix-vm-creator/terraform-secrets/` through the existing SOCKS proxy
 (`127.0.0.1:1055`) — see the incus skill (`/srv/incus-terraform-nix-vm-creator/skills/incus-terraform/SKILL.md`)
-and [[cc-ci-vm-incus]]. Guardrails: only `terraform-ci`; **respect the <10 GB running-RAM cap**
-(that's why `cc-nix-test`→2 GB first); **destroy the throwaway VM when done**; never touch other
-projects/instances; live-memory changes need stop→set→start (hotplug times out — see memory).
+and [[cc-ci-vm-incus]]. Guardrails: only `terraform-ci`; keep total running RAM within the **~12 GB
+guideline** (doc-only — terraform-ci has no enforced `limits.memory`; b1 is 16 GB physical) — hence
+`cc-nix-test`→4 GB + throwaway 4 GB + lichen-staging 4 GB = 12 GB; **destroy the throwaway VM when
+done**; never touch other projects/instances; live-memory changes need stop→set→start (hotplug times
+out — see memory).
 
 ---
 
 ## 5. Method (ordered; each milestone ends with an Adversary gate)
 
-1. **W1 — Headroom.** Resize `cc-nix-test` 6 GB→**2 GB** (stop→set→start) to fit a ~6 GB throwaway VM
-   under b1's budget. *Accept:* b1 has room; cc-nix-test still healthy at 2 GB (no heavy recipe CI
-   runs during 1c). *(Note: restore sizing in W6.)*
+1. **W1 — Headroom.** Resize `cc-nix-test` 6 GB→**4 GB** (stop→set→start) so a **4 GB** throwaway VM
+   fits within the ~12 GB running guideline (4 + lichen 4 + throwaway 4). *Accept:* b1 has room;
+   cc-nix-test healthy at 4 GB (avoid heavy recipe CI during 1c). *(Final sizing decided in W6.)*
 2. **W2 — Repo split + secrets into git.** Create the private `cc-ci-instance` repo; move instance
    specifics + all secrets (incl. the **wildcard cert+key**, read from `/var/lib/ci-certs/live`) into
    sops there; wire the base flake to consume it (flake input). *Accept:* `nixos-rebuild build` of the
    restructured config is **byte-identical** to the running system (zero drift), and `cc-nix-test`
    `nixos-rebuild switch`es cleanly onto the new structure with TLS still served from the git cert.
 3. **W3 — Throwaway VM.** Create a blank NixOS VM in `terraform-ci` (the incus-base image), sized
-   ~6 GB. *Accept:* VM reachable; bootstrap age key provisioned by the documented mechanism only.
+   **4 GB**. *Accept:* VM reachable; bootstrap age key provisioned by the documented mechanism only.
 4. **W4 — Reproducible live rebuild.** On the throwaway VM: clone base+instance, `nixos-rebuild
    switch`, watch oneshots converge, secrets+cert decrypt. *Accept:* system fully up with **no step
    outside `docs/install.md`**; capture evidence.